<!doctype html><html lang="en"><head>
    <meta charset="utf-8">
    <title>RTM Locker Ransomware as a Service (RaaS) Now on Linux - Uptycs</title>
    <link rel="shortcut icon" href="https://www.uptycs.com/hubfs/uptycs_mark_1C_purple_rgb.png">
    <meta name="description" content="Uptycs threat research team discovered a new ransomware Linux binary attributed to the RTM group Locker, a known Ransomware-as-a-Service (RaaS) provider.">
    
    
    
      
    
    
    
     

    <script>

        document.addEventListener('DOMContentLoaded', () => {
      /** init gtm after 3500 seconds - this could be adjusted */
      setTimeout(initGTM, 4500);
    });
    document.addEventListener('scroll', initGTMOnEvent);
    document.addEventListener('mousemove', initGTMOnEvent);
    document.addEventListener('touchstart', initGTMOnEvent);
    function initGTMOnEvent(event) {
      initGTM();
      event.currentTarget.removeEventListener(event.type, initGTMOnEvent); // remove the event listener that got triggered
    }
    function initGTM() {
      if (window.gtmDidInit) {
        return false;
      }
      window.gtmDidInit = true; // flag to ensure script does not get added to DOM more than once.
      const script = document.createElement('script');
      script.type = 'text/javascript';
      script.async = true;
      // ensure PageViews is always tracked (on script load)
      script.onload = () => {
        dataLayer.push({ event: 'gtm.js', 'gtm.start': new Date().getTime(), 'gtm.uniqueEventId': 0 });
      };
      script.src = 'https://www.googletagmanager.com/gtm.js?id=GTM-P663XDQ';
      document.head.appendChild(script);
    }
        </script>    
    
      <script src="https://www.uptycs.com/hs-fs/hub/2617658/hub_generated/template_assets/122967687066/1688142650926/Uptycs_Theme_2023/js/dist_lottie-player.min.js" defer></script>


    
    
    
    
    <meta property="og:description" content="Uptycs threat research team discovered a new ransomware Linux binary attributed to the RTM group Locker, a known Ransomware-as-a-Service (RaaS) provider.">
    <meta property="og:title" content="RTM Locker Ransomware as a Service (RaaS) Now on Linux - Uptycs">
    <meta name="twitter:description" content="Uptycs threat research team discovered a new ransomware Linux binary attributed to the RTM group Locker, a known Ransomware-as-a-Service (RaaS) provider.">
    <meta name="twitter:title" content="RTM Locker Ransomware as a Service (RaaS) Now on Linux - Uptycs">

    

    
    <style>
a.cta_button{-moz-box-sizing:content-box !important;-webkit-box-sizing:content-box !important;box-sizing:content-box !important;vertical-align:middle}.hs-breadcrumb-menu{list-style-type:none;margin:0px 0px 0px 0px;padding:0px 0px 0px 0px}.hs-breadcrumb-menu-item{float:left;padding:10px 0px 10px 10px}.hs-breadcrumb-menu-divider:before{content:'›';padding-left:10px}.hs-featured-image-link{border:0}.hs-featured-image{float:right;margin:0 0 20px 20px;max-width:50%}@media (max-width: 568px){.hs-featured-image{float:none;margin:0;width:100%;max-width:100%}}.hs-screen-reader-text{clip:rect(1px, 1px, 1px, 1px);height:1px;overflow:hidden;position:absolute !important;width:1px}
</style>

<link rel="stylesheet" href="https://www.uptycs.com/hs-fs/hub/2617658/hub_generated/template_assets/105237096759/1688117577120/Uptycs_Theme_2023/css/main.min.css" defer="true">
<link rel="stylesheet" href="https://www.uptycs.com/hs-fs/hub/2617658/hub_generated/template_assets/105237812106/1687366454539/Uptycs_Theme_2023/css/templates/blog.min.css" defer="true">
<link rel="stylesheet" href="https://www.uptycs.com/hs-fs/hub/2617658/hub_generated/template_assets/105237648739/1687991367265/Uptycs_Theme_2023/css/theme-overrides.min.css" defer="true">
<link rel="stylesheet" href="https://www.uptycs.com/hs-fs/hub/2617658/hub_generated/template_assets/118532473678/1685718406549/Uptycs_Theme_2023/css/uptycs-custome-style.min.css" defer="true">
<link rel="stylesheet" href="https://www.uptycs.com/hs-fs/hub/2617658/hub_generated/module_assets/105369588578/1687283974781/module_105369588578_EXT_-_Header_Module_-_2023.min.css">
<link rel="stylesheet" href="https://www.uptycs.com/hs-fs/hub/2617658/hub_generated/module_assets/105720709649/1687366841542/module_105720709649_EXT_-_Footer_Module_-_2023.min.css">
<!-- Editor Styles -->
<style id="hs_editor_style" type="text/css">
/* HubSpot Non-stacked Media Query Styles */
@media (min-width:768px) {
  .header-bottom-row-0-vertical-alignment > .row-fluid {
    display: -ms-flexbox !important;
    -ms-flex-direction: row;
    display: flex !important;
    flex-direction: row;
  }
  .cell_1682435404408-vertical-alignment {
    display: -ms-flexbox !important;
    -ms-flex-direction: column !important;
    -ms-flex-pack: center !important;
    display: flex !important;
    flex-direction: column !important;
    justify-content: center !important;
  }
  .cell_1682435404408-vertical-alignment > div {
    flex-shrink: 0 !important;
  }
  .cell_1682435404408-row-0-vertical-alignment > .row-fluid {
    display: -ms-flexbox !important;
    -ms-flex-direction: row;
    display: flex !important;
    flex-direction: row;
  }
  .header-bottom-module-1-vertical-alignment {
    display: -ms-flexbox !important;
    -ms-flex-direction: column !important;
    -ms-flex-pack: center !important;
    display: flex !important;
    flex-direction: column !important;
    justify-content: center !important;
  }
  .header-bottom-module-1-vertical-alignment > div {
    flex-shrink: 0 !important;
  }
}
/* HubSpot Styles (default) */
.header-bottom-row-0-hidden {
  display: block !important;
}
.header-bottom-module-1-hidden {
  display: flex !important;
}
</style>
<style>
</style>

    <script type="application/ld+json">
{
  "mainEntityOfPage" : {
    "@type" : "WebPage",
    "@id" : "https://www.uptycs.com/blog/rtm-locker-ransomware-as-a-service-raas-linux"
  },
  "author" : {
    "name" : "Uptycs Threat Research",
    "url" : "https://www.uptycs.com/blog/author/uptycs-threat-research",
    "@type" : "Person"
  },
  "headline" : "RTM Locker Ransomware as a Service (RaaS) Now on Linux - Uptycs",
  "datePublished" : "2023-04-26T14:22:35.000Z",
  "dateModified" : "2023-06-16T16:48:00.630Z",
  "publisher" : {
    "name" : "Uptycs",
    "logo" : {
      "url" : "https://2617658.fs1.hubspotusercontent-na1.net/hubfs/2617658/Uptycs%20Logos%202022/uptycs_logo_2C_on-light_rgb.png",
      "@type" : "ImageObject"
    },
    "@type" : "Organization"
  },
  "@context" : "https://schema.org",
  "@type" : "BlogPosting",
  "image" : [ "https://www.uptycs.com/hubfs/RTM%20Locker%20Ransomware%20as%20a%20Service%20-%20Featured%20Image.png" ]
}
</script>


    
<!--  Added by GoogleAnalytics integration -->
<script>
var _hsp = window._hsp = window._hsp || [];
_hsp.push(['addPrivacyConsentListener', function(consent) { if (consent.allowed || (consent.categories && consent.categories.analytics)) {
  (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
  (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
  m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
  ga('create','UA-117543321-1','auto');
  ga('send','pageview');
}}]);
</script>

<!-- /Added by GoogleAnalytics integration -->


<meta name="viewport" content="width=device-width, initial-scale=1">

<link rel="amphtml" href="https://www.uptycs.com/blog/rtm-locker-ransomware-as-a-service-raas-linux?hs_amp=true">

<meta property="og:image" content="https://www.uptycs.com/hubfs/RTM%20Locker%20Ransomware%20as%20a%20Service%20-%20Featured%20Image.png#keepProtocol">

<meta name="twitter:image" content="https://www.uptycs.com/hubfs/RTM%20Locker%20Ransomware%20as%20a%20Service%20-%20Featured%20Image.png#keepProtocol">


<meta property="og:url" content="https://www.uptycs.com/blog/rtm-locker-ransomware-as-a-service-raas-linux">
<meta name="twitter:card" content="summary">

<link rel="canonical" href="https://www.uptycs.com/blog/rtm-locker-ransomware-as-a-service-raas-linux">
<script async type="text/javascript" src="//s7.addthis.com/js/300/addthis_widget.js#pubid=ra-5abce1b92ae0c302"></script>
<meta property="og:type" content="article">
<link rel="alternate" type="application/rss+xml" href="https://www.uptycs.com/blog/rss.xml">
<meta name="twitter:domain" content="www.uptycs.com">
<meta name="twitter:site" content="@uptycs">

<meta http-equiv="content-language" content="en">






  <meta name="generator" content="HubSpot"></head>
  <body class="  hs-content-id-112774722884 hs-blog-post hs-blog-id-5593128451">
    <div class="body-wrapper   hs-content-id-112774722884 hs-blog-post hs-blog-id-5593128451">
      
        <div data-global-resource-path="Uptycs_Theme_2023/templates/partials/header.html"><header class="header">

  
<div class="container-fluid content-wrapper">
<div class="row-fluid-wrapper">
<div class="row-fluid">
<div class="span12 widget-span widget-type-cell " style="" data-widget-type="cell" data-x="0" data-w="12">

<div class="row-fluid-wrapper row-depth-1 row-number-1 dnd-section header-bottom-row-0-hidden header-bottom-row-0-vertical-alignment">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-cell cell_1682435404408-vertical-alignment dnd-column" style="" data-widget-type="cell" data-x="0" data-w="12">

<div class="row-fluid-wrapper row-depth-1 row-number-2 cell_1682435404408-row-0-vertical-alignment dnd-row">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-custom_widget header-bottom-module-1-vertical-alignment header-bottom-module-1-hidden dnd-module" style="" data-widget-type="custom_widget" data-x="0" data-w="12">
<div id="hs_cos_wrapper_header-bottom-module-1" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><div class="Header">
    
    <div class="Header_innner">
        <div class="wrapper">
            <div class="Header_Box">
                <div class="Logo">
                    
                    
                    
                    <a href="https://www.uptycs.com">
                        <img alt="uptycs logo" src="https://www.uptycs.com/hs-fs/hubfs/Logo.png?width=272&amp;height=80&amp;name=Logo.png" width="272" height="80" srcset="https://www.uptycs.com/hs-fs/hubfs/Logo.png?width=136&amp;height=40&amp;name=Logo.png 136w, https://www.uptycs.com/hs-fs/hubfs/Logo.png?width=272&amp;height=80&amp;name=Logo.png 272w, https://www.uptycs.com/hs-fs/hubfs/Logo.png?width=408&amp;height=120&amp;name=Logo.png 408w, https://www.uptycs.com/hs-fs/hubfs/Logo.png?width=544&amp;height=160&amp;name=Logo.png 544w, https://www.uptycs.com/hs-fs/hubfs/Logo.png?width=680&amp;height=200&amp;name=Logo.png 680w, https://www.uptycs.com/hs-fs/hubfs/Logo.png?width=816&amp;height=240&amp;name=Logo.png 816w" sizes="(max-width: 272px) 100vw, 272px">
                    </a>
                </div>
                <div class="headermenu align_center">
                    <div class="Menu">
                        <ul id="menuList">
                            
                            <li>
                                
                                
                                <a href="https://www.uptycs.com/products/cnapp">
                                    Products
                                </a>
                                <!-- Start Product Mega Menu -->
                                <div class="Mega_Menu">
                                    <div class="products_Mega_Menu">
                                        
                                        <div class="products_content">
                                            
                                            <h5 class="font28">Unified CNAPP and XDR Platform</h5>
                                            
                                            
                                            <p>Reduce risk and prioritize responses to threats, vulnerabilities, and misconfigurations—all from a single UI and data model.</p>
                                            
                                        </div>
                                        
                                        <div class="Links">
                                            
                                            <h5 class="font19">CNAPP</h5>
                                            
                                            <ul>
                                                
                                                <li>
                                                    <span>
                                                        <svg xmlns="http://www.w3.org/2000/svg" width="12" height="10" viewbox="0 0 12 10" fill="none">
                                                            <path d="M6.2115 9.93025L5.2536 8.98299L8.57964 5.65694H0.224609V4.27331H8.57964L5.2536 0.952581L6.2115 0L11.1766 4.96513L6.2115 9.93025Z" fill="#050314" />
                                                        </svg>
                                                    </span>
                                                    
                                                    
                                                    <a href="https://www.uptycs.com/products/cnapp">
                                                        Overview
                                                    </a>
                                                </li>
                                                
                                                <li>
                                                    <span>
                                                        <svg xmlns="http://www.w3.org/2000/svg" width="12" height="10" viewbox="0 0 12 10" fill="none">
                                                            <path d="M6.2115 9.93025L5.2536 8.98299L8.57964 5.65694H0.224609V4.27331H8.57964L5.2536 0.952581L6.2115 0L11.1766 4.96513L6.2115 9.93025Z" fill="#050314" />
                                                        </svg>
                                                    </span>
                                                    
                                                    
                                                    <a href="https://www.uptycs.com/products/cnapp/cwpp">
                                                        CWPP
                                                    </a>
                                                </li>
                                                
                                                <li>
                                                    <span>
                                                        <svg xmlns="http://www.w3.org/2000/svg" width="12" height="10" viewbox="0 0 12 10" fill="none">
                                                            <path d="M6.2115 9.93025L5.2536 8.98299L8.57964 5.65694H0.224609V4.27331H8.57964L5.2536 0.952581L6.2115 0L11.1766 4.96513L6.2115 9.93025Z" fill="#050314" />
                                                        </svg>
                                                    </span>
                                                    
                                                    
                                                    <a href="https://www.uptycs.com/products/cnapp/cspm">
                                                        CSPM
                                                    </a>
                                                </li>
                                                
                                                <li>
                                                    <span>
                                                        <svg xmlns="http://www.w3.org/2000/svg" width="12" height="10" viewbox="0 0 12 10" fill="none">
                                                            <path d="M6.2115 9.93025L5.2536 8.98299L8.57964 5.65694H0.224609V4.27331H8.57964L5.2536 0.952581L6.2115 0L11.1766 4.96513L6.2115 9.93025Z" fill="#050314" />
                                                        </svg>
                                                    </span>
                                                    
                                                    
                                                    <a href="https://www.uptycs.com/products/cnapp/ciem">
                                                        CIEM
                                                    </a>
                                                </li>
                                                
                                                <li>
                                                    <span>
                                                        <svg xmlns="http://www.w3.org/2000/svg" width="12" height="10" viewbox="0 0 12 10" fill="none">
                                                            <path d="M6.2115 9.93025L5.2536 8.98299L8.57964 5.65694H0.224609V4.27331H8.57964L5.2536 0.952581L6.2115 0L11.1766 4.96513L6.2115 9.93025Z" fill="#050314" />
                                                        </svg>
                                                    </span>
                                                    
                                                    
                                                    <a href="https://www.uptycs.com/products/cnapp/cdr">
                                                        CDR
                                                    </a>
                                                </li>
                                                
                                            </ul>
                                        </div>
                                        <div class="Links">
                                            
                                            <h5 class="font19">XDR</h5>
                                            
                                            <ul>
                                                
                                                <li>
                                                    <span>
                                                        <svg xmlns="http://www.w3.org/2000/svg" width="12" height="10" viewbox="0 0 12 10" fill="none">
                                                            <path d="M6.2115 9.93025L5.2536 8.98299L8.57964 5.65694H0.224609V4.27331H8.57964L5.2536 0.952581L6.2115 0L11.1766 4.96513L6.2115 9.93025Z" fill="#050314" />
                                                        </svg>
                                                    </span>
                                                    
                                                    
                                                    <a href="https://www.uptycs.com/products/xdr">
                                                        Overview
                                                    </a>
                                                </li>
                                                
                                            </ul>
                                        </div>
                                        <div class="solutions_menu">
                                            
                                            <h5 class="font19">Solutions</h5>
                                            
                                            <div class="solutions_menuinner">
                                                
                                                <div class="Inner_links">
                                                    
                                                    <div class="Inner_linkstitle">
                                                        <p>By Attack Surface</p>
                                                    </div>
                                                    
                                                    <ul>
                                                        
                                                        <li>
                                                            <span>
                                                                <svg xmlns="http://www.w3.org/2000/svg" width="12" height="10" viewbox="0 0 12 10" fill="none">
                                                                    <path d="M6.2115 9.93025L5.2536 8.98299L8.57964 5.65694H0.224609V4.27331H8.57964L5.2536 0.952581L6.2115 0L11.1766 4.96513L6.2115 9.93025Z" fill="#050314" />
                                                                </svg>
                                                            </span>
                                                            
                                                            
                                                            <a href="https://www.uptycs.com/partners/aws">
                                                                AWS
                                                            </a>
                                                        </li>
                                                        
                                                        <li>
                                                            <span>
                                                                <svg xmlns="http://www.w3.org/2000/svg" width="12" height="10" viewbox="0 0 12 10" fill="none">
                                                                    <path d="M6.2115 9.93025L5.2536 8.98299L8.57964 5.65694H0.224609V4.27331H8.57964L5.2536 0.952581L6.2115 0L11.1766 4.96513L6.2115 9.93025Z" fill="#050314" />
                                                                </svg>
                                                            </span>
                                                            
                                                            
                                                            <a href="https://www.uptycs.com/partners/azure">
                                                                Azure
                                                            </a>
                                                        </li>
                                                        
                                                        <li>
                                                            <span>
                                                                <svg xmlns="http://www.w3.org/2000/svg" width="12" height="10" viewbox="0 0 12 10" fill="none">
                                                                    <path d="M6.2115 9.93025L5.2536 8.98299L8.57964 5.65694H0.224609V4.27331H8.57964L5.2536 0.952581L6.2115 0L11.1766 4.96513L6.2115 9.93025Z" fill="#050314" />
                                                                </svg>
                                                            </span>
                                                            
                                                            
                                                            <a href="https://www.uptycs.com/partners/google-cloud-security">
                                                                Google Cloud
                                                            </a>
                                                        </li>
                                                        
                                                        <li>
                                                            <span>
                                                                <svg xmlns="http://www.w3.org/2000/svg" width="12" height="10" viewbox="0 0 12 10" fill="none">
                                                                    <path d="M6.2115 9.93025L5.2536 8.98299L8.57964 5.65694H0.224609V4.27331H8.57964L5.2536 0.952581L6.2115 0L11.1766 4.96513L6.2115 9.93025Z" fill="#050314" />
                                                                </svg>
                                                            </span>
                                                            
                                                            
                                                            <a href="https://www.uptycs.com/products/attack-surfaces/containers-kubernetes">
                                                                Containers and Kubernetes
                                                            </a>
                                                        </li>
                                                        
                                                        <li>
                                                            <span>
                                                                <svg xmlns="http://www.w3.org/2000/svg" width="12" height="10" viewbox="0 0 12 10" fill="none">
                                                                    <path d="M6.2115 9.93025L5.2536 8.98299L8.57964 5.65694H0.224609V4.27331H8.57964L5.2536 0.952581L6.2115 0L11.1766 4.96513L6.2115 9.93025Z" fill="#050314" />
                                                                </svg>
                                                            </span>
                                                            
                                                            
                                                            <a href="https://www.uptycs.com/products/attack-surfaces/endpoints">
                                                                Endpoints
                                                            </a>
                                                        </li>
                                                        
                                                    </ul>
                                                </div>
                                                
                                                <div class="Inner_links">
                                                    
                                                    <div class="Inner_linkstitle">
                                                        <p>By Use Case</p>
                                                    </div>
                                                    
                                                    <ul>
                                                        
                                                        <li>
                                                            <span>
                                                                <svg xmlns="http://www.w3.org/2000/svg" width="12" height="10" viewbox="0 0 12 10" fill="none">
                                                                    <path d="M6.2115 9.93025L5.2536 8.98299L8.57964 5.65694H0.224609V4.27331H8.57964L5.2536 0.952581L6.2115 0L11.1766 4.96513L6.2115 9.93025Z" fill="#050314" />
                                                                </svg>
                                                            </span>
                                                            
                                                            
                                                            <a href="https://www.uptycs.com/products/use-cases/detection-response">
                                                                Detection and Response
                                                            </a>
                                                        </li>
                                                        
                                                        <li>
                                                            <span>
                                                                <svg xmlns="http://www.w3.org/2000/svg" width="12" height="10" viewbox="0 0 12 10" fill="none">
                                                                    <path d="M6.2115 9.93025L5.2536 8.98299L8.57964 5.65694H0.224609V4.27331H8.57964L5.2536 0.952581L6.2115 0L11.1766 4.96513L6.2115 9.93025Z" fill="#050314" />
                                                                </svg>
                                                            </span>
                                                            
                                                            
                                                            <a href="https://www.uptycs.com/products/use-cases/threat-hunting">
                                                                Threat Hunting
                                                            </a>
                                                        </li>
                                                        
                                                        <li>
                                                            <span>
                                                                <svg xmlns="http://www.w3.org/2000/svg" width="12" height="10" viewbox="0 0 12 10" fill="none">
                                                                    <path d="M6.2115 9.93025L5.2536 8.98299L8.57964 5.65694H0.224609V4.27331H8.57964L5.2536 0.952581L6.2115 0L11.1766 4.96513L6.2115 9.93025Z" fill="#050314" />
                                                                </svg>
                                                            </span>
                                                            
                                                            
                                                            <a href="https://www.uptycs.com/products/use-cases/csirt">
                                                                CSIRT
                                                            </a>
                                                        </li>
                                                        
                                                        <li>
                                                            <span>
                                                                <svg xmlns="http://www.w3.org/2000/svg" width="12" height="10" viewbox="0 0 12 10" fill="none">
                                                                    <path d="M6.2115 9.93025L5.2536 8.98299L8.57964 5.65694H0.224609V4.27331H8.57964L5.2536 0.952581L6.2115 0L11.1766 4.96513L6.2115 9.93025Z" fill="#050314" />
                                                                </svg>
                                                            </span>
                                                            
                                                            
                                                            <a href="https://www.uptycs.com/products/use-cases/vulnerability-scanning">
                                                                Vulnerability Scanning
                                                            </a>
                                                        </li>
                                                        
                                                        <li>
                                                            <span>
                                                                <svg xmlns="http://www.w3.org/2000/svg" width="12" height="10" viewbox="0 0 12 10" fill="none">
                                                                    <path d="M6.2115 9.93025L5.2536 8.98299L8.57964 5.65694H0.224609V4.27331H8.57964L5.2536 0.952581L6.2115 0L11.1766 4.96513L6.2115 9.93025Z" fill="#050314" />
                                                                </svg>
                                                            </span>
                                                            
                                                            
                                                            <a href="https://www.uptycs.com/products/use-cases/compliance">
                                                                Compliance
                                                            </a>
                                                        </li>
                                                        
                                                    </ul>
                                                </div>
                                                
                                            </div>
                                        </div>
                                        
                                    </div>
                                </div>
                                <!-- End Product Mega Menu -->
                            </li>
                            
                            <!-- Start Service Menu -->
                            
                            <li>
                                
                                
                                <a href="https://www.uptycs.com/services/mdr-managed-detection-response">
                                    Services
                                </a>
                                <!-- Start Service Mega Menu -->
                                <div class="Mega_Menu">
                                    <div class="Service_Mega_Menu">
                                        <div class="Service_content">
                                            
                                            <h5 class="font28">Services</h5>
                                            
                                            
                                            <p>Discover how to empower your team with professional services, expert support, security education, and managed services for a robust security experience.</p>
                                            
                                        </div>
                                        <div class="Links">
                                            
                                            <h5 class="font19">Managed Services (MDR)</h5>
                                            
                                            <ul>
                                                
                                                <li>
                                                    <span>
                                                        <svg xmlns="http://www.w3.org/2000/svg" width="12" height="10" viewbox="0 0 12 10" fill="none">
                                                            <path d="M6.2115 9.93025L5.2536 8.98299L8.57964 5.65694H0.224609V4.27331H8.57964L5.2536 0.952581L6.2115 0L11.1766 4.96513L6.2115 9.93025Z" fill="#050314" />
                                                        </svg>
                                                    </span>
                                                    
                                                    
                                                    <a href="https://www.uptycs.com/services/mdr-managed-detection-response">
                                                        Overview
                                                    </a>
                                                </li>
                                                
                                            </ul>
                                        </div>
                                        <div class="Links">
                                            
                                            <h5 class="font19">Training and Support</h5>
                                            
                                            <ul>
                                                
                                                <li>
                                                    <span>
                                                        <svg xmlns="http://www.w3.org/2000/svg" width="12" height="10" viewbox="0 0 12 10" fill="none">
                                                            <path d="M6.2115 9.93025L5.2536 8.98299L8.57964 5.65694H0.224609V4.27331H8.57964L5.2536 0.952581L6.2115 0L11.1766 4.96513L6.2115 9.93025Z" fill="#050314" />
                                                        </svg>
                                                    </span>
                                                    
                                                    
                                                    <a href="https://www.uptycs.com/services-support">
                                                        Support and Professional Services
                                                    </a>
                                                </li>
                                                
                                                <li>
                                                    <span>
                                                        <svg xmlns="http://www.w3.org/2000/svg" width="12" height="10" viewbox="0 0 12 10" fill="none">
                                                            <path d="M6.2115 9.93025L5.2536 8.98299L8.57964 5.65694H0.224609V4.27331H8.57964L5.2536 0.952581L6.2115 0L11.1766 4.96513L6.2115 9.93025Z" fill="#050314" />
                                                        </svg>
                                                    </span>
                                                    
                                                    
                                                    <a href="https://www.uptycs.com/services-support/training-education-academy">
                                                        Training and Education
                                                    </a>
                                                </li>
                                                
                                            </ul>
                                        </div>
                                    </div>
                                </div>
                                <!-- End Service Mega Menu -->
                            </li>
                            
                            <!-- End Service Menu -->
                            <!-- Start Partners Menu -->
                            
                            <li>
                                
                                
                                <a href="https://www.uptycs.com/partners">
                                    Partners 
                                </a>
                                <!-- Start Service Mega Menu -->
                                <div class="Mega_Menu">
                                    <div class="Partner_Mega_Menu">
                                        <div class="d_flex align_start Partner_Mega_Menuinner">
                                            <div class="Partner_content">
                                                
                                                <h5 class="font28">Partners</h5>
                                                
                                                
                                                <p>Learn about partnering with Uptycs: Elevate your business by uniting CNAPP + XDR, and become a trusted reseller, MSSP, or systems integrator.</p>
                                                
                                            </div>
                                            <div class="Links">
                                                
                                                <h5 class="font19">Cloud Service Providers</h5>
                                                
                                                <ul>
                                                    
                                                    <li>
                                                        <span>
                                                            <svg xmlns="http://www.w3.org/2000/svg" width="12" height="10" viewbox="0 0 12 10" fill="none">
                                                                <path d="M6.2115 9.93025L5.2536 8.98299L8.57964 5.65694H0.224609V4.27331H8.57964L5.2536 0.952581L6.2115 0L11.1766 4.96513L6.2115 9.93025Z" fill="#050314" />
                                                            </svg>
                                                        </span>
                                                        
                                                        
                                                        <a href="https://www.uptycs.com/partners/aws">
                                                            AWS
                                                        </a>
                                                    </li>
                                                    
                                                    <li>
                                                        <span>
                                                            <svg xmlns="http://www.w3.org/2000/svg" width="12" height="10" viewbox="0 0 12 10" fill="none">
                                                                <path d="M6.2115 9.93025L5.2536 8.98299L8.57964 5.65694H0.224609V4.27331H8.57964L5.2536 0.952581L6.2115 0L11.1766 4.96513L6.2115 9.93025Z" fill="#050314" />
                                                            </svg>
                                                        </span>
                                                        
                                                        
                                                        <a href="https://www.uptycs.com/partners/azure">
                                                            Azure
                                                        </a>
                                                    </li>
                                                    
                                                    <li>
                                                        <span>
                                                            <svg xmlns="http://www.w3.org/2000/svg" width="12" height="10" viewbox="0 0 12 10" fill="none">
                                                                <path d="M6.2115 9.93025L5.2536 8.98299L8.57964 5.65694H0.224609V4.27331H8.57964L5.2536 0.952581L6.2115 0L11.1766 4.96513L6.2115 9.93025Z" fill="#050314" />
                                                            </svg>
                                                        </span>
                                                        
                                                        
                                                        <a href="https://www.uptycs.com/partners/google-cloud-security">
                                                            Google Cloud
                                                        </a>
                                                    </li>
                                                    
                                                </ul>
                                            </div>
                                        </div>
                                        
                                        <div class="OverviewButton pt30">
                                            <span>
                                                <svg xmlns="http://www.w3.org/2000/svg" width="12" height="10" viewbox="0 0 12 10" fill="none">
                                                    <path d="M6.2115 9.93025L5.2536 8.98299L8.57964 5.65694H0.224609V4.27331H8.57964L5.2536 0.952581L6.2115 0L11.1766 4.96513L6.2115 9.93025Z" fill="#050314" />
                                                </svg>
                                            </span>
                                            
                                            
                                            <a href="https://www.uptycs.com/partners">
                                                Overview
                                            </a>
                                        </div>
                                        
                                    </div>
                                </div>
                                <!-- End Service Mega Menu -->
                            </li>
                            
                            <!-- End Partners Menu -->
                            <!-- Start Resources Menu -->
                            
                            <li>
                                
                                
                                <a href="https://www.uptycs.com/resources">
                                    Resources
                                </a>
                                <!-- Start Resources Mega Menu -->
                                <div class="Mega_Menu">
                                    <div class="Resources_Mega_Menu">
                                        <div class="Resources_content">
                                            
                                            <h5 class="font28 semibold">Resources</h5>
                                            
                                            
                                            <p>Everything you need to know about Uptycs. From product information to how Uptycs is helping meet our customers needs.</p>
                                            
                                        </div>
                                        <div class="Resourcesmobilebtn">
                                            
                                            <h5 class="font28 semibold">Resources</h5>
                                            
                                            <ul>
                                                
                                                <li>
                                                    
                                                    
                                                    <a href="https://www.uptycs.com/resources?filter=customer_stories">
                                                        All Customer Stories
                                                    </a>
                                                </li>
                                                
                                                <li>
                                                    
                                                    
                                                    <a href="https://www.uptycs.com/blog">
                                                        All Blogs
                                                    </a>
                                                </li>
                                                
                                                <li>
                                                    
                                                    
                                                    <a href="https://www.uptycs.com/events">
                                                        All Events
                                                    </a>
                                                </li>
                                                
                                            </ul>
                                        </div>
                                        <div class="Links">
                                            
                                            <div class="Links_box">

                                            	
                                                
                                                <a href="https://www.uptycs.com/case-studies/lookout">

                                                <h6>Customer Stories</h6>
                                                
                                                
                                                
                                                
                                                
                                                
                                                <img class="changefit" src="https://www.uptycs.com/hs-fs/hubfs/Lookout%20relies%20on%20Uptycs%20for%20Workstation%20and%20AWS%20Infrastructure%20Security.png?width=210&amp;height=110&amp;name=Lookout%20relies%20on%20Uptycs%20for%20Workstation%20and%20AWS%20Infrastructure%20Security.png" alt="Lookout relies on Uptycs for Workstation and AWS Infrastructure Security" loading="lazy" width="210" height="110" style="max-width: 100%; height: auto;" srcset="https://www.uptycs.com/hs-fs/hubfs/Lookout%20relies%20on%20Uptycs%20for%20Workstation%20and%20AWS%20Infrastructure%20Security.png?width=105&amp;height=55&amp;name=Lookout%20relies%20on%20Uptycs%20for%20Workstation%20and%20AWS%20Infrastructure%20Security.png 105w, https://www.uptycs.com/hs-fs/hubfs/Lookout%20relies%20on%20Uptycs%20for%20Workstation%20and%20AWS%20Infrastructure%20Security.png?width=210&amp;height=110&amp;name=Lookout%20relies%20on%20Uptycs%20for%20Workstation%20and%20AWS%20Infrastructure%20Security.png 210w, https://www.uptycs.com/hs-fs/hubfs/Lookout%20relies%20on%20Uptycs%20for%20Workstation%20and%20AWS%20Infrastructure%20Security.png?width=315&amp;height=165&amp;name=Lookout%20relies%20on%20Uptycs%20for%20Workstation%20and%20AWS%20Infrastructure%20Security.png 315w, https://www.uptycs.com/hs-fs/hubfs/Lookout%20relies%20on%20Uptycs%20for%20Workstation%20and%20AWS%20Infrastructure%20Security.png?width=420&amp;height=220&amp;name=Lookout%20relies%20on%20Uptycs%20for%20Workstation%20and%20AWS%20Infrastructure%20Security.png 420w, https://www.uptycs.com/hs-fs/hubfs/Lookout%20relies%20on%20Uptycs%20for%20Workstation%20and%20AWS%20Infrastructure%20Security.png?width=525&amp;height=275&amp;name=Lookout%20relies%20on%20Uptycs%20for%20Workstation%20and%20AWS%20Infrastructure%20Security.png 525w, https://www.uptycs.com/hs-fs/hubfs/Lookout%20relies%20on%20Uptycs%20for%20Workstation%20and%20AWS%20Infrastructure%20Security.png?width=630&amp;height=330&amp;name=Lookout%20relies%20on%20Uptycs%20for%20Workstation%20and%20AWS%20Infrastructure%20Security.png 630w" sizes="(max-width: 210px) 100vw, 210px">
                                                
                                                <p>See how Uptycs helps Lookout pinpoint specific alerts, reduces time to respond to incidents, and empowers ... </p>

                                            </a>


                                                <div class="Resources_blogbtn">
                                                    <span>
                                                        <svg xmlns="http://www.w3.org/2000/svg" width="12" height="10" viewbox="0 0 12 10" fill="none">
                                                            <path d="M6.2115 9.93025L5.2536 8.98299L8.57964 5.65694H0.224609V4.27331H8.57964L5.2536 0.952581L6.2115 0L11.1766 4.96513L6.2115 9.93025Z" fill="#050314" />
                                                        </svg>
                                                    </span>
                                                    
                                                    
                                                    <a href="https://www.uptycs.com/resources?filter=customer_stories">
                                                        All Customer Stories
                                                    </a>
                                                </div>
                                            </div>
                                            
                                            <div class="Links_box">

                                            	
                                                
                                                <a href="https://www.uptycs.com/blog/securing-devops-hackers-access-cloud-production-systems">

                                                <h6>Blog</h6>
                                                
                                                
                                                
                                                
                                                
                                                
                                                <img class="changefit" src="https://www.uptycs.com/hs-fs/hubfs/businessman%20hand%20show%203d%20cloud%20icon%20with%20padlock%20as%20Internet%20security%20online%20business%20concept-1.jpeg?width=400&amp;height=274&amp;name=businessman%20hand%20show%203d%20cloud%20icon%20with%20padlock%20as%20Internet%20security%20online%20business%20concept-1.jpeg" alt="businessman hand show 3d cloud icon with padlock as Internet security online business concept-1" loading="lazy" width="400" height="274" style="max-width: 100%; height: auto;" srcset="https://www.uptycs.com/hs-fs/hubfs/businessman%20hand%20show%203d%20cloud%20icon%20with%20padlock%20as%20Internet%20security%20online%20business%20concept-1.jpeg?width=200&amp;height=137&amp;name=businessman%20hand%20show%203d%20cloud%20icon%20with%20padlock%20as%20Internet%20security%20online%20business%20concept-1.jpeg 200w, https://www.uptycs.com/hs-fs/hubfs/businessman%20hand%20show%203d%20cloud%20icon%20with%20padlock%20as%20Internet%20security%20online%20business%20concept-1.jpeg?width=400&amp;height=274&amp;name=businessman%20hand%20show%203d%20cloud%20icon%20with%20padlock%20as%20Internet%20security%20online%20business%20concept-1.jpeg 400w, https://www.uptycs.com/hs-fs/hubfs/businessman%20hand%20show%203d%20cloud%20icon%20with%20padlock%20as%20Internet%20security%20online%20business%20concept-1.jpeg?width=600&amp;height=411&amp;name=businessman%20hand%20show%203d%20cloud%20icon%20with%20padlock%20as%20Internet%20security%20online%20business%20concept-1.jpeg 600w, https://www.uptycs.com/hs-fs/hubfs/businessman%20hand%20show%203d%20cloud%20icon%20with%20padlock%20as%20Internet%20security%20online%20business%20concept-1.jpeg?width=800&amp;height=548&amp;name=businessman%20hand%20show%203d%20cloud%20icon%20with%20padlock%20as%20Internet%20security%20online%20business%20concept-1.jpeg 800w, https://www.uptycs.com/hs-fs/hubfs/businessman%20hand%20show%203d%20cloud%20icon%20with%20padlock%20as%20Internet%20security%20online%20business%20concept-1.jpeg?width=1000&amp;height=685&amp;name=businessman%20hand%20show%203d%20cloud%20icon%20with%20padlock%20as%20Internet%20security%20online%20business%20concept-1.jpeg 1000w, https://www.uptycs.com/hs-fs/hubfs/businessman%20hand%20show%203d%20cloud%20icon%20with%20padlock%20as%20Internet%20security%20online%20business%20concept-1.jpeg?width=1200&amp;height=822&amp;name=businessman%20hand%20show%203d%20cloud%20icon%20with%20padlock%20as%20Internet%20security%20online%20business%20concept-1.jpeg 1200w" sizes="(max-width: 400px) 100vw, 400px">
                                                
                                                <p>Securing DevOps: How Hackers Are Gaining Access to Your Cloud Production Systems </p>

                                            </a>


                                                <div class="Resources_blogbtn">
                                                    <span>
                                                        <svg xmlns="http://www.w3.org/2000/svg" width="12" height="10" viewbox="0 0 12 10" fill="none">
                                                            <path d="M6.2115 9.93025L5.2536 8.98299L8.57964 5.65694H0.224609V4.27331H8.57964L5.2536 0.952581L6.2115 0L11.1766 4.96513L6.2115 9.93025Z" fill="#050314" />
                                                        </svg>
                                                    </span>
                                                    
                                                    
                                                    <a href="https://www.uptycs.com/blog">
                                                        All Blogs
                                                    </a>
                                                </div>
                                            </div>
                                            
                                            <div class="Links_box">

                                            	
                                                
                                                <a href="https://www.uptycs.com/events/blackhat-2023-request-a-meeting">

                                                <h6>Events</h6>
                                                
                                                
                                                
                                                
                                                
                                                
                                                <img class="changefit" src="https://www.uptycs.com/hs-fs/hubfs/1200x6700_events_blackhat.jpg?width=400&amp;height=233&amp;name=1200x6700_events_blackhat.jpg" alt="Shift Up with Uptycs at Black Hat 2023" loading="lazy" width="400" height="233" style="max-width: 100%; height: auto;" srcset="https://www.uptycs.com/hs-fs/hubfs/1200x6700_events_blackhat.jpg?width=200&amp;height=117&amp;name=1200x6700_events_blackhat.jpg 200w, https://www.uptycs.com/hs-fs/hubfs/1200x6700_events_blackhat.jpg?width=400&amp;height=233&amp;name=1200x6700_events_blackhat.jpg 400w, https://www.uptycs.com/hs-fs/hubfs/1200x6700_events_blackhat.jpg?width=600&amp;height=350&amp;name=1200x6700_events_blackhat.jpg 600w, https://www.uptycs.com/hs-fs/hubfs/1200x6700_events_blackhat.jpg?width=800&amp;height=466&amp;name=1200x6700_events_blackhat.jpg 800w, https://www.uptycs.com/hs-fs/hubfs/1200x6700_events_blackhat.jpg?width=1000&amp;height=583&amp;name=1200x6700_events_blackhat.jpg 1000w, https://www.uptycs.com/hs-fs/hubfs/1200x6700_events_blackhat.jpg?width=1200&amp;height=699&amp;name=1200x6700_events_blackhat.jpg 1200w" sizes="(max-width: 400px) 100vw, 400px">
                                                
                                                <p>Black Hat 2023<span>August 5-10</span> </p>

                                            </a>


                                                <div class="Resources_blogbtn">
                                                    <span>
                                                        <svg xmlns="http://www.w3.org/2000/svg" width="12" height="10" viewbox="0 0 12 10" fill="none">
                                                            <path d="M6.2115 9.93025L5.2536 8.98299L8.57964 5.65694H0.224609V4.27331H8.57964L5.2536 0.952581L6.2115 0L11.1766 4.96513L6.2115 9.93025Z" fill="#050314" />
                                                        </svg>
                                                    </span>
                                                    
                                                    
                                                    <a href="https://www.uptycs.com/events">
                                                        All Events
                                                    </a>
                                                </div>
                                            </div>
                                            
                                        </div>
                                    </div>
                                </div>
                                <!-- End Resources Mega Menu -->
                            </li>
                            
                            <!-- End Resources Menu -->
                            <!-- Start Company Menu -->
                            
                            <li>
                                
                                
                                <a href="https://www.uptycs.com/about">
                                    Company
                                </a>
                                <!-- Start Company Mega Menu -->
                                <!-- Start Resources Mega Menu -->
                                <div class="Mega_Menu">
                                    <div class="Company_Mega_Menu">
                                        <div class="Company_content">
                                            
                                            <h5 class="font28">Uptycs</h5>
                                            
                                            
                                            <p>Discover Uptycs' groundbreaking approach to tackling modern security challenges, uniting teams, and connecting insights across your attack surface for unparalleled protection.</p>
                                            
                                        </div>
                                        <div class="Company_Mega_Menurightcolumn">
                                            <div class="Company_Mega_Menurightcolumntop d_flex align_start">
                                                <div class="Links">
                                                    
                                                    <h5 class="font19">About Us</h5>
                                                    
                                                    <ul>
                                                        
                                                        <li>
                                                            <span>
                                                                <svg xmlns="http://www.w3.org/2000/svg" width="12" height="10" viewbox="0 0 12 10" fill="none">
                                                                    <path d="M6.2115 9.93025L5.2536 8.98299L8.57964 5.65694H0.224609V4.27331H8.57964L5.2536 0.952581L6.2115 0L11.1766 4.96513L6.2115 9.93025Z" fill="#050314" />
                                                                </svg>
                                                            </span>
                                                            
                                                            
                                                            <a href="https://www.uptycs.com/about">
                                                                Overview
                                                            </a>
                                                        </li>
                                                        
                                                        <li>
                                                            <span>
                                                                <svg xmlns="http://www.w3.org/2000/svg" width="12" height="10" viewbox="0 0 12 10" fill="none">
                                                                    <path d="M6.2115 9.93025L5.2536 8.98299L8.57964 5.65694H0.224609V4.27331H8.57964L5.2536 0.952581L6.2115 0L11.1766 4.96513L6.2115 9.93025Z" fill="#050314" />
                                                                </svg>
                                                            </span>
                                                            
                                                            
                                                            <a href="https://www.uptycs.com/about/careers">
                                                                Careers
                                                            </a>
                                                        </li>
                                                        
                                                        <li>
                                                            <span>
                                                                <svg xmlns="http://www.w3.org/2000/svg" width="12" height="10" viewbox="0 0 12 10" fill="none">
                                                                    <path d="M6.2115 9.93025L5.2536 8.98299L8.57964 5.65694H0.224609V4.27331H8.57964L5.2536 0.952581L6.2115 0L11.1766 4.96513L6.2115 9.93025Z" fill="#050314" />
                                                                </svg>
                                                            </span>
                                                            
                                                            
                                                            <a href="https://www.uptycs.com/about/security">
                                                                Security Practices
                                                            </a>
                                                        </li>
                                                        
                                                    </ul>
                                                </div>
                                                
                                                <div class="MegaMenu_boxs">
                                                	
                                                      
                                                      <a href="https://www.uptycs.com/about/press-news/aws-security-lake-integration">

                                                    <h6>In the News</h6>
                                                    
                                                    
                                                    
                                                    
                                                    
                                                    
                                                    <img src="https://www.uptycs.com/hs-fs/hubfs/press-release-test_v2.png?width=300&amp;height=169&amp;name=press-release-test_v2.png" alt="press-release-test_v2" loading="lazy" width="300" height="169" style="max-width: 100%; height: auto;" srcset="https://www.uptycs.com/hs-fs/hubfs/press-release-test_v2.png?width=150&amp;height=85&amp;name=press-release-test_v2.png 150w, https://www.uptycs.com/hs-fs/hubfs/press-release-test_v2.png?width=300&amp;height=169&amp;name=press-release-test_v2.png 300w, https://www.uptycs.com/hs-fs/hubfs/press-release-test_v2.png?width=450&amp;height=254&amp;name=press-release-test_v2.png 450w, https://www.uptycs.com/hs-fs/hubfs/press-release-test_v2.png?width=600&amp;height=338&amp;name=press-release-test_v2.png 600w, https://www.uptycs.com/hs-fs/hubfs/press-release-test_v2.png?width=750&amp;height=423&amp;name=press-release-test_v2.png 750w, https://www.uptycs.com/hs-fs/hubfs/press-release-test_v2.png?width=900&amp;height=507&amp;name=press-release-test_v2.png 900w" sizes="(max-width: 300px) 100vw, 300px">
                                                    
                                                    <p>Uptycs Integrates with Amazon Security Lake to Enable the Correlation of its CNAPP and XDR Security Telemetry with a Vast Ecosystem of Security Tools.</p>

                                                </a>
                                                </div>
                                                
                                            </div>
                                            <div class="Company_Mega_Menurightcolumntopbtn pt20 d_flex align_center">
                                                
                                                <div class="BottomLinks">
                                                    <span>
                                                        <svg xmlns="http://www.w3.org/2000/svg" width="12" height="10" viewbox="0 0 12 10" fill="none">
                                                            <path d="M6.2115 9.93025L5.2536 8.98299L8.57964 5.65694H0.224609V4.27331H8.57964L5.2536 0.952581L6.2115 0L11.1766 4.96513L6.2115 9.93025Z" fill="#050314" />
                                                        </svg>
                                                    </span>
                                                    
                                                    
                                                    <a href="https://www.uptycs.com/about/contact/">
                                                        Contact Us
                                                    </a>
                                                </div>
                                                
                                                <div class="BottomLinks">
                                                    <span>
                                                        <svg xmlns="http://www.w3.org/2000/svg" width="12" height="10" viewbox="0 0 12 10" fill="none">
                                                            <path d="M6.2115 9.93025L5.2536 8.98299L8.57964 5.65694H0.224609V4.27331H8.57964L5.2536 0.952581L6.2115 0L11.1766 4.96513L6.2115 9.93025Z" fill="#050314" />
                                                        </svg>
                                                    </span>
                                                    
                                                    
                                                    <a href="https://www.uptycs.com/about/press-news/">
                                                        All Press and News
                                                    </a>
                                                </div>
                                                
                                            </div>
                                        </div>
                                    </div>
                                </div>
                                <!-- End Company Mega Menu -->
                            </li>
                            
                            <!-- End Company Menu -->
                        </ul>
                    </div>
                    <div class="Header_CTA">
                        
                        
                        <div class="DemoButton">
                            
                            
                            <a href="https://www.uptycs.com/request-demo">
                                Request a demo
                                <span>
                                    <svg xmlns="http://www.w3.org/2000/svg" width="13" height="16" viewbox="0 0 13 16" fill="none">
                                        <path d="M7.07771 12.9303L6.11981 11.983L9.44586 8.65694H1.09082V7.27331H9.44586L6.11981 3.95258L7.07771 3L12.0428 7.96513L7.07771 12.9303Z" fill="#050314"></path>
                                    </svg>
                                </span>
                            </a>
                        </div>
                        
                    </div>
                </div>
            </div>
        </div>
    </div>
</div></div>

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

</div><!--end widget-span -->
</div>
</div>
</div>

</header></div>
      

      

      <main id="main-content" class="body-container-wrapper">
        
<div class="body-container body-container--blog-post">

  
  <div class="BannerSectionV3 blogPostBanner blog_banner">
    <div class="wrapper">
      <div class="blogBannerRow">
        
        <div class="blogPostBannerInner"> 
          <h1 class="t_shadow h2">RTM Locker Ransomware as a Service (RaaS) Now Suits Up for Linux Architecture</h1> 
          <div class="blogTagList pt30 font16 lh14">
            <span>Tags:</span> 
            
            <a class="tagLinks" href="https://www.uptycs.com/blog/tag/threat-intelligence" rel="tag">Threat Intelligence</a>,
            
            <a class="tagLinks" href="https://www.uptycs.com/blog/tag/endpoint-security" rel="tag">Endpoint Security</a>,
            
            <a class="tagLinks" href="https://www.uptycs.com/blog/tag/threat-research" rel="tag">Threat Research</a>,
            
            <a class="tagLinks" href="https://www.uptycs.com/blog/tag/cybersecurity" rel="tag">Cybersecurity</a>
            
          </div> 
          <div class="blogAutherAndSharingRow pt50 d_flex space_between align_center">
            <div class="blog_author blogAuthorCol">
              <div class="auther_image bg"><img width="45" height="45" src="https://www.uptycs.com/hs-fs/hubfs/Logo-Shield_Padded_400x400.png?width=45&amp;height=45&amp;name=Logo-Shield_Padded_400x400.png" alt="Blog Author" srcset="https://www.uptycs.com/hs-fs/hubfs/Logo-Shield_Padded_400x400.png?width=23&amp;height=23&amp;name=Logo-Shield_Padded_400x400.png 23w, https://www.uptycs.com/hs-fs/hubfs/Logo-Shield_Padded_400x400.png?width=45&amp;height=45&amp;name=Logo-Shield_Padded_400x400.png 45w, https://www.uptycs.com/hs-fs/hubfs/Logo-Shield_Padded_400x400.png?width=68&amp;height=68&amp;name=Logo-Shield_Padded_400x400.png 68w, https://www.uptycs.com/hs-fs/hubfs/Logo-Shield_Padded_400x400.png?width=90&amp;height=90&amp;name=Logo-Shield_Padded_400x400.png 90w, https://www.uptycs.com/hs-fs/hubfs/Logo-Shield_Padded_400x400.png?width=113&amp;height=113&amp;name=Logo-Shield_Padded_400x400.png 113w, https://www.uptycs.com/hs-fs/hubfs/Logo-Shield_Padded_400x400.png?width=135&amp;height=135&amp;name=Logo-Shield_Padded_400x400.png 135w" sizes="(max-width: 45px) 100vw, 45px"></div>
              <div class="auther_detail">
                <h5 class="auther_name">
                  <a class="author_link" target="_blank" href="https://www.uptycs.com/blog/author/uptycs-threat-research">Uptycs Threat Research</a> 
                </h5> 
                <span class="blog_post_date">April 26, 2023</span>
              </div>
            </div>
            <div class="blogSharingLinks">
              <span>Share: </span>
              <ul>
                <li>
                  <a target="_blank" href="https://www.linkedin.com/shareArticle?mini=true&amp;url=https://www.uptycs.com/blog/rtm-locker-ransomware-as-a-service-raas-linux">
                    <svg width="11" height="10" viewbox="0 0 11 10" fill="none" xmlns="http://www.w3.org/2000/svg">
                      <path d="M1.73131 2.93832C2.4435 2.93832 2.8894 2.46765 2.8832 1.87931C2.87701 1.27859 2.4435 0.820312 1.74369 0.820312C1.05008 0.820312 0.591797 1.27859 0.591797 1.87931C0.591797 2.46765 1.0315 2.93832 1.71892 2.93832H1.73131ZM5.91777 9.91162V6.4869C5.91777 6.30111 5.93635 6.12151 5.98589 5.98527C6.13452 5.61988 6.46894 5.24211 7.03251 5.24211C7.76947 5.24211 8.06674 5.80567 8.06674 6.62934V9.91162H10.1042V6.394C10.1042 4.51133 9.10097 3.63193 7.75709 3.63193C6.69556 3.63193 6.20831 4.20046 5.93588 4.61862L5.91737 4.64735L5.91777 3.77437H3.88027C3.88027 3.77437 3.90505 4.35032 3.88027 9.91162H5.91777ZM2.75315 9.91162V3.77437H0.709464V9.91162H2.75315Z" fill="white" />
                    </svg> 
                  </a>
                </li>
                <li>
                  <a target="_blank" href="https://twitter.com/intent/tweet?text=https://www.uptycs.com/blog/rtm-locker-ransomware-as-a-service-raas-linux">
                    <svg width="11" height="9" viewbox="0 0 11 9" fill="none" xmlns="http://www.w3.org/2000/svg">
                      <path d="M3.42787 8.86694C5.33818 8.86694 6.87024 8.22451 8.02407 6.93963C9.1779 5.65475 9.75482 4.22336 9.75482 2.64544V2.37494C10.2133 2.04433 10.5801 1.66863 10.8552 1.24785C10.4731 1.42819 10.0452 1.5409 9.57143 1.58598C10.0757 1.30045 10.4043 0.894702 10.5571 0.368729C10.0681 0.654257 9.59435 0.834591 9.13587 0.90973C8.69268 0.443868 8.15779 0.210938 7.53121 0.210938C6.90463 0.210938 6.37739 0.421327 5.94948 0.842105C5.52157 1.26288 5.30761 1.78134 5.30761 2.39748C5.30761 2.6229 5.32289 2.7882 5.35346 2.8934C3.489 2.80323 1.96839 2.04433 0.79164 0.616688C0.592967 0.962327 0.493631 1.32299 0.493631 1.69869C0.493631 2.49516 0.822204 3.10379 1.47935 3.52456C1.14314 3.52456 0.806921 3.4344 0.470707 3.25406V3.27661C0.470707 3.80258 0.642635 4.26468 0.986491 4.66292C1.33035 5.06116 1.75443 5.31287 2.25876 5.41807C2.01424 5.47818 1.81557 5.50823 1.66274 5.50823C1.57105 5.50823 1.4335 5.49321 1.25011 5.46315C1.38766 5.89896 1.64746 6.25587 2.02952 6.53388C2.41158 6.81189 2.83949 6.95841 3.31325 6.97344C2.50328 7.60461 1.58633 7.92019 0.562402 7.92019C0.455424 7.92019 0.279676 7.90517 0.0351562 7.87511C1.07436 8.53633 2.20527 8.86694 3.42787 8.86694Z" fill="white" />
                    </svg> 
                  </a>
                </li>
                <li>
                  <a target="_blank" href="https://www.facebook.com/sharer/sharer.php?u=https://www.uptycs.com/blog/rtm-locker-ransomware-as-a-service-raas-linux">
                    <svg width="7" height="13" viewbox="0 0 7 13" fill="none" xmlns="http://www.w3.org/2000/svg">
                      <path d="M4.61303 12.4732V7.06173H6.42397L6.70202 4.95135H4.61303V3.60384C4.61303 2.99782 4.77701 2.57717 5.65396 2.57717H6.77332V0.694931C6.58082 0.666412 5.91776 0.609375 5.14775 0.609375C3.53645 0.609375 2.43135 1.59327 2.43135 3.39708V4.95135H0.613281V7.06173H2.43135V12.4732H4.61303Z" fill="white" />
                    </svg> 
                  </a>
                </li>
                <li class="copyLink" data-copy-text="https://www.uptycs.com/blog/rtm-locker-ransomware-as-a-service-raas-linux">
                  <a href="javascript:void(0)">
                    <svg width="17" height="16" viewbox="0 0 17 16" fill="none" xmlns="http://www.w3.org/2000/svg">
                      <path fill-rule="evenodd" clip-rule="evenodd" d="M12.3359 0.464936C11.3706 0.511211 10.4423 0.932314 9.72467 1.64958L6.90967 4.4631C7.35183 4.01886 8.99314 4.32427 9.39131 4.72224L11.0951 3.01932C11.4725 2.64217 11.9447 2.4108 12.4285 2.38998C12.7573 2.37378 13.2226 2.44319 13.6323 2.85273C14.0143 3.23449 14.0953 3.67873 14.0953 3.98184C14.0953 4.48855 13.8638 4.99294 13.4657 5.3886L10.5025 8.3687C9.75708 9.11373 8.62275 9.17389 7.96529 8.51678C7.59027 8.14196 6.97217 8.13964 6.59484 8.51678C6.2175 8.89393 6.2175 9.50938 6.59484 9.88652C7.2708 10.5621 8.15975 10.9046 9.07648 10.9046C10.0673 10.9046 11.0789 10.4997 11.8544 9.71993L14.8361 6.75834C15.5931 6.00405 16.0214 4.99526 16.0214 3.98184C16.0214 3.04014 15.6649 2.14472 15.0028 1.48299C14.2944 0.774979 13.343 0.418661 12.3359 0.464936ZM7.74177 5.24241C6.75097 5.24241 5.72312 5.64963 4.94529 6.42705L1.98214 9.38865C1.22514 10.1429 0.796875 11.1517 0.796875 12.1651C0.796875 13.1068 1.15338 14.0023 1.81546 14.664C2.52384 15.372 3.47529 15.7283 4.4823 15.682C5.44764 15.6358 6.37594 15.2147 7.09358 14.4974L9.90858 11.6839C9.46411 12.1281 7.82511 11.8227 7.42694 11.4247L5.72312 13.1277C5.34578 13.5048 4.87353 13.7339 4.3897 13.757C4.06098 13.7732 3.59567 13.7038 3.18592 13.2943C2.80395 12.9125 2.72293 12.4659 2.72293 12.1651C2.72293 11.6584 2.95442 11.154 3.3526 10.7584L6.31575 7.77828C7.06117 7.03325 8.19551 6.97541 8.85296 7.6302C9.2303 8.00734 9.84839 8.00734 10.2234 7.6302C10.6008 7.25306 10.6008 6.6376 10.2234 6.26046C9.54745 5.58485 8.65618 5.24241 7.74177 5.24241Z" fill="white" />
                    </svg> 
                  </a>
                </li>
              </ul>
            </div>
          </div>
        </div>  
        

        
        <div class="blogBannerSideCol"></div>
        

      </div>

    </div>
  </div>
   

   
  <div class="blogPostBottomArea">
    <div class="wrapper">
      <div class="blogPostAreaRow d_flex space_between align_start"> 
        <article class="blog-post">
          
          <div class="blog-post__body" source-tags="Threat Intelligence,Endpoint Security,Threat Research,Cybersecurity">
            <span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text"><p><span style="color: #efeff1;">The <a href="/blog/tag/threat-research" rel="noopener" target="_blank" style="text-decoration: underline; color: #efeff1;">Uptycs threat research team</a> has discovered a new ransomware binary attributed to the RTM group, a known ransomware-as-a-service (RaaS) provider. This is the first time the group has created a Linux binary. Its locker ransomware infects Linux, NAS, and ESXi hosts and appears to be inspired by Babuk ransomware's leaked source code. It uses a combination of ECDH on Curve25519 (asymmetric encryption) and Chacha20 (symmetric encryption) to encrypt files.</span><br><br><span style="color: #efeff1;">RTM Locker was identified during Uptycs' dark web hunting. Its malware is specifically geared toward ESXi hosts, as it contains two related commands. Its initial access vector remains unknown. Both asymmetric and symmetric encryption make it impossible to decrypt files without the attacker's private key.</span><br><br><span style="color: #efeff1;">Notable similarities between RTM Locker and Babuk ransomware include random number generation in addition to using ECDH in Curve25519 for asymmetric encryption. Babuk differs slightly from RTM Locker by using sosemanuk for asymmetric encryption, while RTM Locker uses ChaCha20.</span><br><br><span style="color: #efeff1;">The good news is that Uptycs XDR provides advanced detection capabilities and YARA rules for detecting RTM Locker malware.</span></p>
<!--more-->
<p>&nbsp;</p>
<h2><span style="color: #efeff1;">FAQ</span></h2>
<p style="padding-left: 40px;"><span style="font-weight: bold; color: #efeff1;">Q. How are RTM Locker and Babuk ransomware related?</span><br><br><span style="color: #efeff1;">It appears RTM Locker leverages leaked source code from Babuk ransomware. Both malware types use random number generation, Curve25519 implementation.</span><br><br><span style="font-weight: bold; color: #efeff1;">Q. How does this new ransomware infect Linux, NAS, and ESXi hosts?</span><br><br><span style="color: #efeff1;">The initial access vector for RTM Locker is unknown at this time.</span><br><br><span style="font-weight: bold; color: #efeff1;">Q. Can the encrypted files be decrypted without the attacker's private key?</span><br><br><span style="color: #efeff1;">Sorry, no. The combination of asymmetric and symmetric encryption makes decryption impossible without the private key.</span><br><br><span style="font-weight: bold; color: #efeff1;">Q. What are some unique RTM Locker features compared to other ransomware strains?</span><br><br><span style="color: #efeff1;">RTM Locker specifically targets ESXi hosts, contains two ESXi commands, and is the first Linux binary created by the RTM group. It is also inspired by leaked source code from Babuk ransomware.</span><br><br><span style="font-weight: bold; color: #efeff1;">Q. How did the Uptycs threat research team discover this threat actor’s ransomware?</span><br><br><span style="color: #efeff1;">We identified the RTM Locker threat during our ongoing dark web hunting. Such continual research is imperative to better serve our customers.</span><br><br><span style="font-weight: bold; color: #efeff1;">Q. What measures can be taken to detect and mitigate RTM Locker?</span><br><br><span style="color: #efeff1;">Organizations can use advanced detection solutions such as Uptycs XDR. Its built-in YARA rules and other advanced detection capabilities identify and mitigate RTM Locker ransomware. To this end the Uptycs threat research team has shared a <a href="#YARA" rel="noopener" style="color: #efeff1;">YARA rule</a> to detect RTM Locker.</span></p>
<p>&nbsp;</p>
<h2><span style="color: #efeff1;">Threat Attribution</span></h2>
<p><span style="color: #efeff1;">The threat group RTM Locker was discovered by the Uptycs Threat Intelligence team during our dark web hunting. Figure 1 shows the post made by the RTM group about their Locker, which targets Windows, ESXi/Linux, and NAS systems.</span></p>
<p><a href="https://2617658.fs1.hubspotusercontent-na1.net/hubfs/2617658/Fig%201.png" rel="noopener" target="_blank"><i><img src="https://www.uptycs.com/hs-fs/hubfs/Fig%201.png?width=1074&amp;height=1397&amp;name=Fig%201.png" alt="RTM Locker was discovered by the Uptycs threat research team while dark web hunting" width="1074" height="1397" loading="lazy" style="height: auto; max-width: 100%; width: 1074px;" srcset="https://www.uptycs.com/hs-fs/hubfs/Fig%201.png?width=537&amp;height=699&amp;name=Fig%201.png 537w, https://www.uptycs.com/hs-fs/hubfs/Fig%201.png?width=1074&amp;height=1397&amp;name=Fig%201.png 1074w, https://www.uptycs.com/hs-fs/hubfs/Fig%201.png?width=1611&amp;height=2096&amp;name=Fig%201.png 1611w, https://www.uptycs.com/hs-fs/hubfs/Fig%201.png?width=2148&amp;height=2794&amp;name=Fig%201.png 2148w, https://www.uptycs.com/hs-fs/hubfs/Fig%201.png?width=2685&amp;height=3493&amp;name=Fig%201.png 2685w, https://www.uptycs.com/hs-fs/hubfs/Fig%201.png?width=3222&amp;height=4191&amp;name=Fig%201.png 3222w" sizes="(max-width: 1074px) 100vw, 1074px"></i></a></p>
<p style="text-align: center; font-size: 12px;"><i>Fig. 1 - The post made by RTM group about its locker</i></p>
<p style="text-align: center; font-size: 12px;">&nbsp;</p>
<p style="font-size: 16px; text-align: left;"><span style="color: #efeff1;">A previous Windows version of this ransomware was reported by <a href="https://www.trellix.com/en-us/about/newsroom/stories/research/read-the-manual-locker-a-private-raas-provider.html" rel="noopener" target="_blank" style="text-decoration: underline; color: #efeff1;">Trellix</a>, in which it mentions an onion site link to contact the threat actor. This appears to have prompted the team to move to Tox. The binary for this report contains no mention of the onion site; only a Tox ID is mentioned (Figure 18).</span></p>
<p style="font-size: 12px; text-align: center;"><a href="https://2617658.fs1.hubspotusercontent-na1.net/hubfs/2617658/Fig.%202.png" rel="noopener" target="_blank"><img src="https://www.uptycs.com/hs-fs/hubfs/Fig.%202.png?width=512&amp;height=238&amp;name=Fig.%202.png" alt="RTM Locker Ransomware as a Service (RaaS) on Linux: Attacker update about moving from an onion site to Tox" width="512" height="238" loading="lazy" style="height: auto; max-width: 100%; width: 512px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.uptycs.com/hs-fs/hubfs/Fig.%202.png?width=256&amp;height=119&amp;name=Fig.%202.png 256w, https://www.uptycs.com/hs-fs/hubfs/Fig.%202.png?width=512&amp;height=238&amp;name=Fig.%202.png 512w, https://www.uptycs.com/hs-fs/hubfs/Fig.%202.png?width=768&amp;height=357&amp;name=Fig.%202.png 768w, https://www.uptycs.com/hs-fs/hubfs/Fig.%202.png?width=1024&amp;height=476&amp;name=Fig.%202.png 1024w, https://www.uptycs.com/hs-fs/hubfs/Fig.%202.png?width=1280&amp;height=595&amp;name=Fig.%202.png 1280w, https://www.uptycs.com/hs-fs/hubfs/Fig.%202.png?width=1536&amp;height=714&amp;name=Fig.%202.png 1536w" sizes="(max-width: 512px) 100vw, 512px"></a><br><em>Fig. 2 - Attacker update about moving from an onion site to Tox</em></p>
<p style="font-size: 16px; text-align: left;">&nbsp;</p>
<h2><span style="color: #efeff1;">Technical Analysis</span></h2>
<p style="text-align: center; font-size: 12px;"><a href="https://2617658.fs1.hubspotusercontent-na1.net/hubfs/2617658/Fig%203.png" rel="noopener" target="_blank"><img src="https://www.uptycs.com/hs-fs/hubfs/Fig%203.png?width=512&amp;height=309&amp;name=Fig%203.png" alt="RTM Locker workflow: Mind map of the Linux executable" width="512" height="309" loading="lazy" style="height: auto; max-width: 100%; width: 512px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.uptycs.com/hs-fs/hubfs/Fig%203.png?width=256&amp;height=155&amp;name=Fig%203.png 256w, https://www.uptycs.com/hs-fs/hubfs/Fig%203.png?width=512&amp;height=309&amp;name=Fig%203.png 512w, https://www.uptycs.com/hs-fs/hubfs/Fig%203.png?width=768&amp;height=464&amp;name=Fig%203.png 768w, https://www.uptycs.com/hs-fs/hubfs/Fig%203.png?width=1024&amp;height=618&amp;name=Fig%203.png 1024w, https://www.uptycs.com/hs-fs/hubfs/Fig%203.png?width=1280&amp;height=773&amp;name=Fig%203.png 1280w, https://www.uptycs.com/hs-fs/hubfs/Fig%203.png?width=1536&amp;height=927&amp;name=Fig%203.png 1536w" sizes="(max-width: 512px) 100vw, 512px"></a><br><em>Fig. 3 - Mind map of the Linux executable</em></p>
<p>&nbsp;</p>
<p><span style="color: #efeff1;">The ransomware binary seems to be geared towards ESXi, because of the two ESXi commands that were noticed at the start of the program. It is statically compiled and stripped, making reverse engineering more difficult and allowing the binary to run on more systems. The initial access vector is unknown.</span></p>
<p style="text-align: center; font-size: 12px;"><a href="https://2617658.fs1.hubspotusercontent-na1.net/hubfs/2617658/Fig%204.png" rel="noopener" target="_blank"><img src="https://www.uptycs.com/hs-fs/hubfs/Fig%204.png?width=512&amp;height=151&amp;name=Fig%204.png" alt="RTM Locker Ransomware as a Service (RaaS) on Linux: Decompiled code for the ransomware’s main procedure" width="512" height="151" loading="lazy" style="height: auto; max-width: 100%; width: 512px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.uptycs.com/hs-fs/hubfs/Fig%204.png?width=256&amp;height=76&amp;name=Fig%204.png 256w, https://www.uptycs.com/hs-fs/hubfs/Fig%204.png?width=512&amp;height=151&amp;name=Fig%204.png 512w, https://www.uptycs.com/hs-fs/hubfs/Fig%204.png?width=768&amp;height=227&amp;name=Fig%204.png 768w, https://www.uptycs.com/hs-fs/hubfs/Fig%204.png?width=1024&amp;height=302&amp;name=Fig%204.png 1024w, https://www.uptycs.com/hs-fs/hubfs/Fig%204.png?width=1280&amp;height=378&amp;name=Fig%204.png 1280w, https://www.uptycs.com/hs-fs/hubfs/Fig%204.png?width=1536&amp;height=453&amp;name=Fig%204.png 1536w" sizes="(max-width: 512px) 100vw, 512px"></a><br><em>Fig. 4 - Main procedure of the ransomware</em></p>
<p>&nbsp;</p>
<p><span style="font-family: 'Courier New', Courier, monospace; color: #ff0201;">name_threads, run_esxi_commands</span> <span style="color: #efeff1;">and</span> <span style="font-family: 'Courier New', Courier, monospace; color: #ff0201;">pthread_wrapper_main</span> <span style="color: #efeff1;">are the important functions in this binary.</span> <span style="font-family: 'Courier New', Courier, monospace; color: #ff0201;">name_threads</span> <span style="color: #efeff1;">uses</span> <span style="font-family: 'Courier New', Courier, monospace; color: #ff0201;">sysconf</span><span style="color: #efeff1;">(3) with</span><span style="font-family: 'Courier New', Courier, monospace; color: #ff0201;"> _SC_NPROCESSORS_ONLN</span> <span style="color: #efeff1;">as argument to find out the number of threads to use in the program, and calls</span> <span style="font-family: 'Courier New', Courier, monospace; color: #ff0201;">name_thread_routine</span> <span style="color: #efeff1;">in the</span> <span style="font-family: 'Courier New', Courier, monospace; color: #ff0201;">pthread_wrapper</span> <span style="color: #efeff1;">routine to name each thread as shown in Figure 5.</span></p>
<p style="text-align: center;"><a href="https://2617658.fs1.hubspotusercontent-na1.net/hubfs/2617658/Fig%205.png" rel="noopener" target="_blank"><img src="https://www.uptycs.com/hs-fs/hubfs/Fig%205.png?width=512&amp;height=435&amp;name=Fig%205.png" alt="RTM Locker Ransomware as a Service (RaaS) on Linux: pthread_wrapper calls pthread_create with name_thread_routine as an argument" width="512" height="435" loading="lazy" style="height: auto; max-width: 100%; width: 512px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.uptycs.com/hs-fs/hubfs/Fig%205.png?width=256&amp;height=218&amp;name=Fig%205.png 256w, https://www.uptycs.com/hs-fs/hubfs/Fig%205.png?width=512&amp;height=435&amp;name=Fig%205.png 512w, https://www.uptycs.com/hs-fs/hubfs/Fig%205.png?width=768&amp;height=653&amp;name=Fig%205.png 768w, https://www.uptycs.com/hs-fs/hubfs/Fig%205.png?width=1024&amp;height=870&amp;name=Fig%205.png 1024w, https://www.uptycs.com/hs-fs/hubfs/Fig%205.png?width=1280&amp;height=1088&amp;name=Fig%205.png 1280w, https://www.uptycs.com/hs-fs/hubfs/Fig%205.png?width=1536&amp;height=1305&amp;name=Fig%205.png 1536w" sizes="(max-width: 512px) 100vw, 512px"></a><br><span style="font-size: 12px;"><em>FIg. 5 - <span style="color: #ff0201; font-family: 'Courier New', Courier, monospace;">pthread_wraper</span> calls <span style="color: #ff0201;"><span style="font-family: 'Courier New', Courier, monospace;">pthread_create</span> </span>with <span style="color: #ff0201; font-family: 'Courier New', Courier, monospace;">name_thread_routine</span> as an&nbsp;</em></span><span style="background-color: transparent; font-size: 12px;"><i>argument</i></span></p>
<p>&nbsp;</p>
<p><span style="font-family: 'Courier New', Courier, monospace; color: #ff0201;">name_thread_routine</span> <span style="color: #efeff1;">names each thread to use later in the encryption process. The threads are named “</span><span style="font-family: 'Courier New', Courier, monospace; color: #ff0201;">Thread-pool-%d</span><span style="color: #efeff1;">”, with the decimal number representing the index of the thread. Shown in Figure 6, this is done using prctl(2) with</span> <span style="font-family: 'Courier New', Courier, monospace; color: #ff0201;">PR_SET_NAME</span> <span style="color: #efeff1;">as its argument.&nbsp;</span></p>
<p style="text-align: center;"><a href="https://2617658.fs1.hubspotusercontent-na1.net/hubfs/2617658/FIg%206.png" rel="noopener" target="_blank"><img src="https://www.uptycs.com/hs-fs/hubfs/FIg%206.png?width=512&amp;height=436&amp;name=FIg%206.png" alt="RTM Locker Ransomware as a Service (RaaS) on Linux: Threads being named inside name_thread_routine" width="512" height="436" loading="lazy" style="height: auto; max-width: 100%; width: 512px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.uptycs.com/hs-fs/hubfs/FIg%206.png?width=256&amp;height=218&amp;name=FIg%206.png 256w, https://www.uptycs.com/hs-fs/hubfs/FIg%206.png?width=512&amp;height=436&amp;name=FIg%206.png 512w, https://www.uptycs.com/hs-fs/hubfs/FIg%206.png?width=768&amp;height=654&amp;name=FIg%206.png 768w, https://www.uptycs.com/hs-fs/hubfs/FIg%206.png?width=1024&amp;height=872&amp;name=FIg%206.png 1024w, https://www.uptycs.com/hs-fs/hubfs/FIg%206.png?width=1280&amp;height=1090&amp;name=FIg%206.png 1280w, https://www.uptycs.com/hs-fs/hubfs/FIg%206.png?width=1536&amp;height=1308&amp;name=FIg%206.png 1536w" sizes="(max-width: 512px) 100vw, 512px"></a><br><span style="font-size: 12px;"><em>Fig. 6 - Threads being named inside&nbsp;<span style="font-family: 'Courier New', Courier, monospace; color: #ff0201;">name_thread_routine</span></em></span></p>
<p style="font-size: 16px; text-align: left;">&nbsp;</p>
<p style="font-size: 16px; text-align: left;"><span style="color: #efeff1;">After naming each thread, the</span> <span style="font-family: 'Courier New', Courier, monospace; color: #ff0201;">run_esxi_commands</span> <span style="color: #efeff1;">routine is called. Notably, this is not called on the NAS variant of the binary, since a NAS does not run ESXi.</span></p>
<p style="font-size: 16px; text-align: center;"><a href="https://2617658.fs1.hubspotusercontent-na1.net/hubfs/2617658/Fig%207.png" rel="noopener" target="_blank"><img src="https://www.uptycs.com/hs-fs/hubfs/Fig%207.png?width=512&amp;height=435&amp;name=Fig%207.png" alt="RTM Locker Ransomware as a Service (RaaS) on Linux: The program shown here runs 2 ESXi commands" width="512" height="435" loading="lazy" style="height: auto; max-width: 100%; width: 512px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.uptycs.com/hs-fs/hubfs/Fig%207.png?width=256&amp;height=218&amp;name=Fig%207.png 256w, https://www.uptycs.com/hs-fs/hubfs/Fig%207.png?width=512&amp;height=435&amp;name=Fig%207.png 512w, https://www.uptycs.com/hs-fs/hubfs/Fig%207.png?width=768&amp;height=653&amp;name=Fig%207.png 768w, https://www.uptycs.com/hs-fs/hubfs/Fig%207.png?width=1024&amp;height=870&amp;name=Fig%207.png 1024w, https://www.uptycs.com/hs-fs/hubfs/Fig%207.png?width=1280&amp;height=1088&amp;name=Fig%207.png 1280w, https://www.uptycs.com/hs-fs/hubfs/Fig%207.png?width=1536&amp;height=1305&amp;name=Fig%207.png 1536w" sizes="(max-width: 512px) 100vw, 512px"></a><br><span style="font-size: 12px;"><em>Fig. 7 - Two ESXi commands are run using this program</em></span></p>
<p style="font-size: 12px; text-align: center;">&nbsp;</p>
<p style="font-size: 16px; text-align: left;"><span style="color: #efeff1;">The two ESXi commands are:</span></p>
<ol>
<li style="font-size: 16px; text-align: left;"><span style="color: #efeff1;">“<span style="font-family: 'Courier New', Courier, monospace;">esxcli vm process list &gt;&gt; vmlist.tmp.txt</span>”</span><br><span style="color: #efeff1;">This command lists all the ESXi VMs currently running on the system.</span></li>
<li style="font-size: 16px; text-align: left;"><span style="color: #efeff1;">“<span style="font-family: 'Courier New', Courier, monospace;">esxcli vm process kill -t=force -w</span>”</span><br><span style="color: #efeff1;">This command kills all the ESXi VMs that were found by the previous command</span></li>
</ol>
<p><span style="color: #efeff1;">Interestingly, the file read by the program, </span><span style="font-family: 'Courier New', Courier, monospace; color: #ff0201;">vmlisttmp.txt</span><span style="color: #efeff1;">, isn’t the file that it writes to</span> <span style="color: #efeff1;">(</span><span style="font-family: 'Courier New', Courier, monospace; color: #ff0201;">vmlist.tmp.txt</span><span style="color: #efeff1;">). The differing filenames are a mistake made by the ransomware author, which suggests this ransomware might still be under development.</span><br><br><span style="font-size: 16px;"><span style="color: #efeff1;">After the binary successfully kills all the running ESXi VMs, it begins the encryption routine by calling</span> <span style="font-family: 'Courier New', Courier, monospace; color: #ff0201;">pthread_wrapper_main</span>.&nbsp;</span><br><br><span style="font-size: 16px;"><span style="font-family: 'Courier New', Courier, monospace; color: #ff0201;">pthread_wrapper_main</span> <span style="color: #efeff1;">seems to be a custom function that calls multiple</span> <span style="font-family: 'Courier New', Courier, monospace; color: #ff0201;">pthread</span> <span style="color: #efeff1;">commands to run the encryption process more efficiently. Figure 8 shows a snippet of</span> <span style="font-family: 'Courier New', Courier, monospace; color: #ff0201;">FUN_00407580</span>, a function that is used to read the entire system using <span style="font-family: 'Courier New', Courier, monospace; color: #ff0201;">opendir(3)</span><span style="color: #efeff1;">, after which it performs</span> <span style="font-family: 'Courier New', Courier, monospace; color: #ff0201;">lstat(2)</span><span style="color: #efeff1;"> on the file descriptor and progresses through the function based on the results of the system call.</span></span></p>
<p style="font-size: 12px; text-align: center;"><a href="https://2617658.fs1.hubspotusercontent-na1.net/hubfs/2617658/Fig%208.png" rel="noopener" target="_blank"><img src="https://www.uptycs.com/hs-fs/hubfs/Fig%208.png?width=512&amp;height=436&amp;name=Fig%208.png" alt="RTM Locker Ransomware as a Service (RaaS) on Linux: A FUN_00407580 excerpt" width="512" height="436" loading="lazy" style="height: auto; max-width: 100%; width: 512px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.uptycs.com/hs-fs/hubfs/Fig%208.png?width=256&amp;height=218&amp;name=Fig%208.png 256w, https://www.uptycs.com/hs-fs/hubfs/Fig%208.png?width=512&amp;height=436&amp;name=Fig%208.png 512w, https://www.uptycs.com/hs-fs/hubfs/Fig%208.png?width=768&amp;height=654&amp;name=Fig%208.png 768w, https://www.uptycs.com/hs-fs/hubfs/Fig%208.png?width=1024&amp;height=872&amp;name=Fig%208.png 1024w, https://www.uptycs.com/hs-fs/hubfs/Fig%208.png?width=1280&amp;height=1090&amp;name=Fig%208.png 1280w, https://www.uptycs.com/hs-fs/hubfs/Fig%208.png?width=1536&amp;height=1308&amp;name=Fig%208.png 1536w" sizes="(max-width: 512px) 100vw, 512px"></a><em><br>Fig. 8 - A FUN_00407580 excerpt</em></p>
<p>&nbsp;</p>
<p><span style="color: #efeff1;">Two parts of this function are intriguing: 1) the call to the actual encryption routine (i.e.,</span> <span style="font-family: 'Courier New', Courier, monospace; color: #ff0201;">encrypt_file</span> r<span style="color: #efeff1;">eferenced in the main function, and 2) how it finds which file to encrypt.</span><br><br><span style="color: #efeff1;">The</span> <span style="font-family: 'Courier New', Courier, monospace; color: #ff0201;">lstat</span><span style="color: #efeff1;">(2) system call returns 4 for a directory or 8 for a file. Figure 9 shows a function excerpt where a checksum is performed, after which the</span> <span style="font-family: 'Courier New', Courier, monospace; color: #ff0201;">encrypt_file</span> <span style="color: #efeff1;">function is called. This checksum seems to only check file extensions and, like the source code that inspired it, currently works for the following extensions:</span></p>
<p>&nbsp;</p>
<div data-hs-responsive-table="true" style="overflow-x: auto; max-width: 100%; width: 100%; margin-left: auto; margin-right: auto;">
<table style="width: 100%; border-collapse: collapse; table-layout: fixed; border: 1px solid #99acc2;">
<tbody>
<tr>
<td style="width: 19.9723%; padding: 4px; text-align: center;"><span style="font-family: 'Courier New', Courier, monospace; color: #efeff1;">.log</span></td>
<td style="width: 19.9723%; padding: 4px; text-align: center;"><span style="font-family: 'Courier New', Courier, monospace; color: #efeff1;">.vmdk</span></td>
<td style="width: 19.9723%; padding: 4px; text-align: center;"><span style="color: #efeff1;">.<span style="font-family: 'Courier New', Courier, monospace;">vmem</span></span></td>
<td style="width: 19.9723%; padding: 4px; text-align: center;"><span style="font-family: 'Courier New', Courier, monospace; color: #ff0201;">.vswp</span></td>
<td style="width: 19.9765%; padding: 4px; text-align: center;"><span style="font-family: 'Courier New', Courier, monospace; color: #efeff1;">.vmsn</span></td>
</tr>
</tbody>
</table>
</div>
<p style="font-size: 12px; text-align: center;"><a href="https://2617658.fs1.hubspotusercontent-na1.net/hubfs/2617658/Fig%209.png" rel="noopener" target="_blank"><img src="https://www.uptycs.com/hs-fs/hubfs/Fig%209.png?width=512&amp;height=278&amp;name=Fig%209.png" alt="RTM Locker Ransomware as a Service (RaaS) on Linux: Another Excerpt from FUN_00407580" width="512" height="278" loading="lazy" style="height: auto; max-width: 100%; width: 512px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.uptycs.com/hs-fs/hubfs/Fig%209.png?width=256&amp;height=139&amp;name=Fig%209.png 256w, https://www.uptycs.com/hs-fs/hubfs/Fig%209.png?width=512&amp;height=278&amp;name=Fig%209.png 512w, https://www.uptycs.com/hs-fs/hubfs/Fig%209.png?width=768&amp;height=417&amp;name=Fig%209.png 768w, https://www.uptycs.com/hs-fs/hubfs/Fig%209.png?width=1024&amp;height=556&amp;name=Fig%209.png 1024w, https://www.uptycs.com/hs-fs/hubfs/Fig%209.png?width=1280&amp;height=695&amp;name=Fig%209.png 1280w, https://www.uptycs.com/hs-fs/hubfs/Fig%209.png?width=1536&amp;height=834&amp;name=Fig%209.png 1536w" sizes="(max-width: 512px) 100vw, 512px"></a><br><em>Fig. 9 - Excerpt from <span style="font-family: 'Courier New', Courier, monospace; color: #ff0201;">FUN_00407580</span></em></p>
<p>&nbsp;</p>
<p>T<span style="color: #efeff1;">he encryption function also uses</span> <span style="font-family: 'Courier New', Courier, monospace; color: #ff0201;">pthreads</span> <span style="color: #efeff1;">to speed up execution. It obtains locks on particular threads to prevent race conditions, then runs another function that encrypts a single file.</span><br><br><span style="color: #efeff1;">Figure 10 shows the function called by</span> <span style="font-family: 'Courier New', Courier, monospace; color: #ff0201;">encrypt_file</span><span style="color: #efeff1;">. It has two constants, `</span><span style="font-family: 'Courier New', Courier, monospace; color: #ff0201;">expand 16-byte k</span><span style="color: #efeff1;">` and `</span><span style="font-family: 'Courier New', Courier, monospace; color: #ff0201;">expand 32-byte k</span><span style="color: #efeff1;">` related to the Salsa20/ChaCha family of ciphers. This leads us to believe the file is encrypted using the same cipher family. Figure 11 shows the constants as found in the function.</span></p>
<p style="font-size: 12px; text-align: center;"><a href="https://2617658.fs1.hubspotusercontent-na1.net/hubfs/2617658/Fig%2010.png" rel="noopener" target="_blank"><img src="https://www.uptycs.com/hs-fs/hubfs/Fig%2010.png?width=474&amp;height=512&amp;name=Fig%2010.png" alt="RTM Locker Ransomware as a Service (RaaS) on Linux: The FUN_00406680 function that encrypts a single file" width="474" height="512" loading="lazy" style="height: auto; max-width: 100%; width: 474px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.uptycs.com/hs-fs/hubfs/Fig%2010.png?width=237&amp;height=256&amp;name=Fig%2010.png 237w, https://www.uptycs.com/hs-fs/hubfs/Fig%2010.png?width=474&amp;height=512&amp;name=Fig%2010.png 474w, https://www.uptycs.com/hs-fs/hubfs/Fig%2010.png?width=711&amp;height=768&amp;name=Fig%2010.png 711w, https://www.uptycs.com/hs-fs/hubfs/Fig%2010.png?width=948&amp;height=1024&amp;name=Fig%2010.png 948w, https://www.uptycs.com/hs-fs/hubfs/Fig%2010.png?width=1185&amp;height=1280&amp;name=Fig%2010.png 1185w, https://www.uptycs.com/hs-fs/hubfs/Fig%2010.png?width=1422&amp;height=1536&amp;name=Fig%2010.png 1422w" sizes="(max-width: 474px) 100vw, 474px"></a><br><em>Fig. 10 - The FUN_00406680 function that encrypts a single file</em></p>
<p>&nbsp;</p>
<p><span style="color: #efeff1;">The function in Figure 10 essentially encrypts a chunk of bytes read from</span> <span style="font-family: 'Courier New', Courier, monospace; color: #ff0201;">fread</span><span style="color: #efeff1;">(3) and writes that, after which it probably seeks to the next chunk before reading it and encrypting the next chunk of bytes.</span></p>
<p style="font-size: 12px; text-align: center;"><a href="https://2617658.fs1.hubspotusercontent-na1.net/hubfs/2617658/Fig%2011.png" rel="noopener" target="_blank"><img src="https://www.uptycs.com/hs-fs/hubfs/Fig%2011.png?width=512&amp;height=435&amp;name=Fig%2011.png" alt="RTM Locker Ransomware as a Service (RaaS) on Linux: Constants related to the Salsa20/ChaCha cipher family" width="512" height="435" loading="lazy" style="height: auto; max-width: 100%; width: 512px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.uptycs.com/hs-fs/hubfs/Fig%2011.png?width=256&amp;height=218&amp;name=Fig%2011.png 256w, https://www.uptycs.com/hs-fs/hubfs/Fig%2011.png?width=512&amp;height=435&amp;name=Fig%2011.png 512w, https://www.uptycs.com/hs-fs/hubfs/Fig%2011.png?width=768&amp;height=653&amp;name=Fig%2011.png 768w, https://www.uptycs.com/hs-fs/hubfs/Fig%2011.png?width=1024&amp;height=870&amp;name=Fig%2011.png 1024w, https://www.uptycs.com/hs-fs/hubfs/Fig%2011.png?width=1280&amp;height=1088&amp;name=Fig%2011.png 1280w, https://www.uptycs.com/hs-fs/hubfs/Fig%2011.png?width=1536&amp;height=1305&amp;name=Fig%2011.png 1536w" sizes="(max-width: 512px) 100vw, 512px"></a><br><em>Fig. 11 - Constants related to the Salsa20/ChaCha cipher family</em></p>
<p>&nbsp;</p>
<p><span style="color: #efeff1;">After searching through the entire file, the filename has an .RTM extension appended to it.</span></p>
<p>&nbsp;</p>
<h3><span style="color: #efeff1;">File encryption on Windows and Linux versions</span></h3>
<p><span style="color: #efeff1;">The encryption algorithm has two steps:</span></p>
<ol style="font-size: 16px;">
<li><span style="color: #efeff1;">Asymmetric encryption is initially used. The bad actor embeds a public key in the file, with its corresponding private key remaining with the attacker. It generates a 32-byte shared secret between the attacker's public key and the file ephemeral keys using the Diffie-Hellman key exchange protocol.</span></li>
<li><span style="color: #efeff1;">It then uses ChaCha20 symmetric encryption. The shared secret is hashed to obtain a 32-byte key to be used with an asymmetric encryption algorithm. After encryption, each public key is written at the end of its corresponding file (as with Linux) or appended as an extension for Windows.</span></li>
</ol>
<p><span style="color: #efeff1;">Both ECDH on Curve25519 and ChaCha are statically implemented without using any libraries or crypt function.&nbsp;</span></p>
<p>&nbsp;</p>
<h2><span style="color: #efeff1;">The Encryption Process</span></h2>
<p><span style="color: #efeff1;">1. An ephemeral key is generated by using:</span></p>
<ul style="font-size: 16px;">
<li><span style="color: #efeff1;">Windows – SystemFunction36 resolves to <span style="font-family: 'Courier New', Courier, monospace;">bcryptprimitives.ProcessPrng</span>, which generates a specified number of random bytes from the user-mode per-processor random number generator.</span></li>
<li><span style="color: #efeff1;">Linux – By reading /dev/urandom to generate a random sequence.</span></li>
</ul>
<p><span style="color: #efeff1;">These random bytes are used as a private key during the Elliptic-Curve Diffie-Hellman (ECDH) algorithm implemented on Curve25519.</span></p>
<p style="font-size: 12px; text-align: center;"><a href="https://2617658.fs1.hubspotusercontent-na1.net/hubfs/2617658/Figure12.png" rel="noopener" target="_blank"><img src="https://www.uptycs.com/hs-fs/hubfs/Figure12.png?width=779&amp;height=321&amp;name=Figure12.png" alt="RTM Locker Ransomware as a Service (RaaS) on Linux: Random number generator as ephemeral key" width="779" height="321" loading="lazy" style="height: auto; max-width: 100%; width: 779px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.uptycs.com/hs-fs/hubfs/Figure12.png?width=390&amp;height=161&amp;name=Figure12.png 390w, https://www.uptycs.com/hs-fs/hubfs/Figure12.png?width=779&amp;height=321&amp;name=Figure12.png 779w, https://www.uptycs.com/hs-fs/hubfs/Figure12.png?width=1169&amp;height=482&amp;name=Figure12.png 1169w, https://www.uptycs.com/hs-fs/hubfs/Figure12.png?width=1558&amp;height=642&amp;name=Figure12.png 1558w, https://www.uptycs.com/hs-fs/hubfs/Figure12.png?width=1948&amp;height=803&amp;name=Figure12.png 1948w, https://www.uptycs.com/hs-fs/hubfs/Figure12.png?width=2337&amp;height=963&amp;name=Figure12.png 2337w" sizes="(max-width: 779px) 100vw, 779px"></a><em>Fig. 12 - Random number generator as ephemeral key</em></p>
<p>&nbsp;</p>
<p><span style="color: #efeff1;">2. The private key is now used to generate the public key on Curve25519.&nbsp;</span></p>
<ul>
<li><span style="font-size: 16px; color: #efeff1;">Windows – The public key is appended as an extension to the encrypted file.</span></li>
<li><span style="font-size: 16px; color: #efeff1;">Linux – The public key is appended to the end of the encrypted file. This public key is used for decryption in the event of a victim paying ransom.</span></li>
</ul>
<p style="font-size: 12px; text-align: center;"><a href="https://2617658.fs1.hubspotusercontent-na1.net/hubfs/2617658/Figure13.png" rel="noopener" target="_blank"><img src="https://www.uptycs.com/hs-fs/hubfs/Figure13.png?width=781&amp;height=293&amp;name=Figure13.png" alt="Screenshot showing the Encrypted files" width="781" height="293" loading="lazy" style="height: auto; max-width: 100%; width: 781px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.uptycs.com/hs-fs/hubfs/Figure13.png?width=391&amp;height=147&amp;name=Figure13.png 391w, https://www.uptycs.com/hs-fs/hubfs/Figure13.png?width=781&amp;height=293&amp;name=Figure13.png 781w, https://www.uptycs.com/hs-fs/hubfs/Figure13.png?width=1172&amp;height=440&amp;name=Figure13.png 1172w, https://www.uptycs.com/hs-fs/hubfs/Figure13.png?width=1562&amp;height=586&amp;name=Figure13.png 1562w, https://www.uptycs.com/hs-fs/hubfs/Figure13.png?width=1953&amp;height=733&amp;name=Figure13.png 1953w, https://www.uptycs.com/hs-fs/hubfs/Figure13.png?width=2343&amp;height=879&amp;name=Figure13.png 2343w" sizes="(max-width: 781px) 100vw, 781px"></a><em>Fig. 13 - Encrypted files</em></p>
<p>&nbsp;</p>
<p><span style="color: #efeff1;">3. A shared key is now generated, using the private key from step 1 and the attacker's public key hardcoded in the file on Curve25519. This shared secret is now used in symmetric ChaCha20 encryption.</span></p>
<p style="font-size: 12px; text-align: center;"><a href="https://2617658.fs1.hubspotusercontent-na1.net/hubfs/2617658/Figure14.png" rel="noopener" target="_blank"><img src="https://www.uptycs.com/hs-fs/hubfs/Figure14.png?width=784&amp;height=294&amp;name=Figure14.png" alt="RTM Locker Ransomware as a Service (RaaS) on Linux: Code snippet showing shared key generation Curve25519" width="784" height="294" loading="lazy" style="height: auto; max-width: 100%; width: 784px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.uptycs.com/hs-fs/hubfs/Figure14.png?width=392&amp;height=147&amp;name=Figure14.png 392w, https://www.uptycs.com/hs-fs/hubfs/Figure14.png?width=784&amp;height=294&amp;name=Figure14.png 784w, https://www.uptycs.com/hs-fs/hubfs/Figure14.png?width=1176&amp;height=441&amp;name=Figure14.png 1176w, https://www.uptycs.com/hs-fs/hubfs/Figure14.png?width=1568&amp;height=588&amp;name=Figure14.png 1568w, https://www.uptycs.com/hs-fs/hubfs/Figure14.png?width=1960&amp;height=735&amp;name=Figure14.png 1960w, https://www.uptycs.com/hs-fs/hubfs/Figure14.png?width=2352&amp;height=882&amp;name=Figure14.png 2352w" sizes="(max-width: 784px) 100vw, 784px"></a><br><em>Fig. 14 - Code snippet showing shared key generation Curve25519</em></p>
<p>&nbsp;</p>
<p><span style="font-size: 16px; color: #efeff1;">ChaCha20 is a symmetric encryption where:</span></p>
<ul>
<li><span style="font-size: 16px; color: #efeff1;">Key – 32-byte shared key from step 3</span></li>
<li><span style="font-size: 16px; color: #efeff1;">Nonce – 8 bytes 0000000000000000</span></li>
<li><span style="font-size: 16px; color: #efeff1;">Counter – 0<br></span></li>
<li><span style="font-size: 16px; color: #efeff1;">ChaCha20 is used for symmetric encryption in both Windows and Linux<br></span></li>
<li><span style="font-size: 16px; color: #efeff1;">For Windows, only the first 8000 hex bytes are encrypted, and the remaining bytes remain intact<br></span></li>
<li><span style="font-size: 16px;"><span style="color: #efeff1;">For Linux, the entire file is encrypted</span><br></span></li>
</ul>
<p style="font-size: 12px; text-align: center;"><a href="https://2617658.fs1.hubspotusercontent-na1.net/hubfs/2617658/Fig%2015.png" rel="noopener" target="_blank"><img src="https://www.uptycs.com/hs-fs/hubfs/Fig%2015.png?width=515&amp;height=54&amp;name=Fig%2015.png" alt="RTM Locker Ransomware as a Service (RaaS) on Linux: ChaCha key structure along with constants, key, counter, and nonce" width="515" height="54" loading="lazy" style="height: auto; max-width: 100%; width: 515px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.uptycs.com/hs-fs/hubfs/Fig%2015.png?width=258&amp;height=27&amp;name=Fig%2015.png 258w, https://www.uptycs.com/hs-fs/hubfs/Fig%2015.png?width=515&amp;height=54&amp;name=Fig%2015.png 515w, https://www.uptycs.com/hs-fs/hubfs/Fig%2015.png?width=773&amp;height=81&amp;name=Fig%2015.png 773w, https://www.uptycs.com/hs-fs/hubfs/Fig%2015.png?width=1030&amp;height=108&amp;name=Fig%2015.png 1030w, https://www.uptycs.com/hs-fs/hubfs/Fig%2015.png?width=1288&amp;height=135&amp;name=Fig%2015.png 1288w, https://www.uptycs.com/hs-fs/hubfs/Fig%2015.png?width=1545&amp;height=162&amp;name=Fig%2015.png 1545w" sizes="(max-width: 515px) 100vw, 515px"></a><br><em>Fig. 15 - ChaCha key structure along with constants, key, counter, and nonce</em></p>
<p>&nbsp;</p>
<h3><span style="color: #efeff1;">File decryption</span></h3>
<p><span style="color: #efeff1;">To decrypt the file, the public key, which is present in extension (WIndows) / end of the file (Linux), is read and along with the attacker's private key the shared secret is obtained allowing file decryption. Use of both asymmetric and symmetric encryption makes it impossible to decrypt the encrypted files without the attacker's private key.&nbsp;</span></p>
<p>&nbsp;</p>
<h3><span style="color: #efeff1;">Similarities with Babuk ransomware</span></h3>
<p><span style="color: #efeff1;">As mentioned, RTM Locker was likely inspired from leaked source code of Babuk ransomware.&nbsp;</span></p>
<ul style="font-size: 16px;">
<li><span style="color: #efeff1;">Linux random number generation is done by reading <span style="font-family: 'Courier New', Courier, monospace;">/dev/urandom</span>, the same as for <a href="https://github.com/Hildaboo/BabukRansomwareSourceCode/blob/main/esxi/enc/curve25519-donna.cpp" rel="noopener" target="_blank" style="text-decoration: underline; color: #efeff1;">Babuk ransomware</a><span style="text-decoration: underline;">&nbsp;</span></span></li>
<li><span style="color: #efeff1;">Windows and Linux Curve25519 implementation is based on <a href="https://github.com/Hildaboo/BabukRansomwareSourceCode/blob/main/esxi/enc/curve25519-donna.cpp" rel="noopener" target="_blank" style="text-decoration: underline; color: #efeff1;">Babuk ransomware&nbsp;</a></span></li>
<li><span style="color: #efeff1;">Both Linux versions encrypt files using the <span style="font-family: 'Courier New', Courier, monospace;">.log, </span>&nbsp;.<span style="font-family: 'Courier New', Courier, monospace;">vmdk, </span><span style="font-family: 'Courier New', Courier, monospace;">.vmem, <strong>.vswp, </strong></span>and&nbsp; .<span style="font-family: 'Courier New', Courier, monospace;">vmsn</span> file extensions&nbsp;</span></li>
<li><span style="color: #efeff1;">Both use ECDH in Curve25519 for asymmetric and ChaCha for symmetric encryption.</span></li>
</ul>
<p style="font-size: 12px; text-align: center;"><a href="https://2617658.fs1.hubspotusercontent-na1.net/hubfs/2617658/Figure16.png" rel="noopener" target="_blank"><img src="https://www.uptycs.com/hs-fs/hubfs/Figure16.png?width=755&amp;height=283&amp;name=Figure16.png" alt="RTM Locker Ransomware as a Service (RaaS) on Linux: Code snippets showing similarities between RTM and Babuk ransomware" width="755" height="283" loading="lazy" style="height: auto; max-width: 100%; width: 755px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.uptycs.com/hs-fs/hubfs/Figure16.png?width=378&amp;height=142&amp;name=Figure16.png 378w, https://www.uptycs.com/hs-fs/hubfs/Figure16.png?width=755&amp;height=283&amp;name=Figure16.png 755w, https://www.uptycs.com/hs-fs/hubfs/Figure16.png?width=1133&amp;height=425&amp;name=Figure16.png 1133w, https://www.uptycs.com/hs-fs/hubfs/Figure16.png?width=1510&amp;height=566&amp;name=Figure16.png 1510w, https://www.uptycs.com/hs-fs/hubfs/Figure16.png?width=1888&amp;height=708&amp;name=Figure16.png 1888w, https://www.uptycs.com/hs-fs/hubfs/Figure16.png?width=2265&amp;height=849&amp;name=Figure16.png 2265w" sizes="(max-width: 755px) 100vw, 755px"></a><br><em>Fig. 16 - Similarities between RTM and Babuk ransomware</em></p>
<p>&nbsp;</p>
<p><span style="color: #efeff1;">After the entire directory is read,</span> <span style="font-family: 'Courier New', Courier, monospace; color: #ff0201;">FUN_0047580</span> <span style="color: #efeff1;">leaves a ransom note in the current directory that has a</span> <span style="font-family: 'Courier New', Courier, monospace; color: #ff0201;">!!! Warning!!!</span> <span style="color: #efeff1;">filename (Figure 18).&nbsp;</span></p>
<p style="font-size: 12px; text-align: center;"><a href="https://2617658.fs1.hubspotusercontent-na1.net/hubfs/2617658/Fig%2017.png" rel="noopener" target="_blank"><img src="https://www.uptycs.com/hs-fs/hubfs/Fig%2017.png?width=511&amp;height=184&amp;name=Fig%2017.png" alt="RTM Locker Ransomware as a Service (RaaS) on Linux: Excerpt from FUN_0047580 that writes the ransom note" width="511" height="184" loading="lazy" style="height: auto; max-width: 100%; width: 511px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.uptycs.com/hs-fs/hubfs/Fig%2017.png?width=256&amp;height=92&amp;name=Fig%2017.png 256w, https://www.uptycs.com/hs-fs/hubfs/Fig%2017.png?width=511&amp;height=184&amp;name=Fig%2017.png 511w, https://www.uptycs.com/hs-fs/hubfs/Fig%2017.png?width=767&amp;height=276&amp;name=Fig%2017.png 767w, https://www.uptycs.com/hs-fs/hubfs/Fig%2017.png?width=1022&amp;height=368&amp;name=Fig%2017.png 1022w, https://www.uptycs.com/hs-fs/hubfs/Fig%2017.png?width=1278&amp;height=460&amp;name=Fig%2017.png 1278w, https://www.uptycs.com/hs-fs/hubfs/Fig%2017.png?width=1533&amp;height=552&amp;name=Fig%2017.png 1533w" sizes="(max-width: 511px) 100vw, 511px"></a><br><em>Fig. 17 - Excerpt from FUN_0047580 that writes the ransom note</em></p>
<p>&nbsp;</p>
<p><span style="color: #efeff1;">Figure 18 shows the RTM Locker ransom note. They group has left a Tox ID to contact it to decrypt the files after paying the ransom.</span></p>
<p style="font-size: 12px; text-align: center;"><a href="https://2617658.fs1.hubspotusercontent-na1.net/hubfs/2617658/Fig%2018.png" rel="noopener" target="_blank"><img src="https://www.uptycs.com/hs-fs/hubfs/Fig%2018.png?width=512&amp;height=374&amp;name=Fig%2018.png" alt="RTM Locker Ransomware as a Service (RaaS) on Linux: screenshot from the RaaS Ransom note" width="512" height="374" loading="lazy" style="height: auto; max-width: 100%; width: 512px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.uptycs.com/hs-fs/hubfs/Fig%2018.png?width=256&amp;height=187&amp;name=Fig%2018.png 256w, https://www.uptycs.com/hs-fs/hubfs/Fig%2018.png?width=512&amp;height=374&amp;name=Fig%2018.png 512w, https://www.uptycs.com/hs-fs/hubfs/Fig%2018.png?width=768&amp;height=561&amp;name=Fig%2018.png 768w, https://www.uptycs.com/hs-fs/hubfs/Fig%2018.png?width=1024&amp;height=748&amp;name=Fig%2018.png 1024w, https://www.uptycs.com/hs-fs/hubfs/Fig%2018.png?width=1280&amp;height=935&amp;name=Fig%2018.png 1280w, https://www.uptycs.com/hs-fs/hubfs/Fig%2018.png?width=1536&amp;height=1122&amp;name=Fig%2018.png 1536w" sizes="(max-width: 512px) 100vw, 512px"></a><br><em>Fig. 18 - Ransom note</em></p>
<p style="font-size: 12px; text-align: center;">&nbsp;</p>
<p style="font-size: 12px; text-align: center;"><a href="https://2617658.fs1.hubspotusercontent-na1.net/hubfs/2617658/Fig%2019.png" rel="noopener" target="_blank"><img src="https://www.uptycs.com/hs-fs/hubfs/Fig%2019.png?width=512&amp;height=312&amp;name=Fig%2019.png" alt="RTM Locker Ransomware as a Service (RaaS) on Linux: Files encrypted by the RTM Locker ransomware" width="512" height="312" loading="lazy" style="height: auto; max-width: 100%; width: 512px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.uptycs.com/hs-fs/hubfs/Fig%2019.png?width=256&amp;height=156&amp;name=Fig%2019.png 256w, https://www.uptycs.com/hs-fs/hubfs/Fig%2019.png?width=512&amp;height=312&amp;name=Fig%2019.png 512w, https://www.uptycs.com/hs-fs/hubfs/Fig%2019.png?width=768&amp;height=468&amp;name=Fig%2019.png 768w, https://www.uptycs.com/hs-fs/hubfs/Fig%2019.png?width=1024&amp;height=624&amp;name=Fig%2019.png 1024w, https://www.uptycs.com/hs-fs/hubfs/Fig%2019.png?width=1280&amp;height=780&amp;name=Fig%2019.png 1280w, https://www.uptycs.com/hs-fs/hubfs/Fig%2019.png?width=1536&amp;height=936&amp;name=Fig%2019.png 1536w" sizes="(max-width: 512px) 100vw, 512px"></a><br><em>Fig. 19 - Files encrypted by the RTM Locker ransomware</em></p>
<p>&nbsp;</p>
<h2><span style="color: #efeff1;">Uptycs XDR Coverage</span></h2>
<p><span style="color: #efeff1;">In addition to having YARA built in and being armed with other advanced detection capabilities, Uptycs XDR users can easily scan for RTM Locker. XDR contextual detection provides important details about identified malware. Users can navigate to the toolkit data section in the detection screen, then click a detected item to reveal its profile (Fig. 20).</span></p>
<p style="font-size: 12px; text-align: center;"><a href="https://2617658.fs1.hubspotusercontent-na1.net/hubfs/2617658/Fig%2020.png" rel="noopener" target="_blank"><img src="https://www.uptycs.com/hs-fs/hubfs/Fig%2020.png?width=765&amp;height=383&amp;name=Fig%2020.png" alt="Screengrab from the Uptycs detection of this RaaS" width="765" height="383" loading="lazy" style="height: auto; max-width: 100%; width: 765px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.uptycs.com/hs-fs/hubfs/Fig%2020.png?width=383&amp;height=192&amp;name=Fig%2020.png 383w, https://www.uptycs.com/hs-fs/hubfs/Fig%2020.png?width=765&amp;height=383&amp;name=Fig%2020.png 765w, https://www.uptycs.com/hs-fs/hubfs/Fig%2020.png?width=1148&amp;height=575&amp;name=Fig%2020.png 1148w, https://www.uptycs.com/hs-fs/hubfs/Fig%2020.png?width=1530&amp;height=766&amp;name=Fig%2020.png 1530w, https://www.uptycs.com/hs-fs/hubfs/Fig%2020.png?width=1913&amp;height=958&amp;name=Fig%2020.png 1913w, https://www.uptycs.com/hs-fs/hubfs/Fig%2020.png?width=2295&amp;height=1149&amp;name=Fig%2020.png 2295w" sizes="(max-width: 765px) 100vw, 765px"></a><br><em>Fig. 20 - Uptycs detection</em></p>
<p>&nbsp;</p>
<h2><span style="color: #efeff1;">IOC</span></h2>
<div data-hs-responsive-table="true" style="overflow-x: auto; max-width: 100%; width: 100%; margin-left: auto; margin-right: auto; font-size: 16px;">
<table style="width: 100%; border-collapse: collapse; table-layout: fixed; border: 1px solid #99acc2;">
<tbody>
<tr>
<td style="width: 99.8656%; padding: 4px; text-align: center;"><span style="color: #efeff1;"><strong>SHA256</strong></span></td>
</tr>
<tr>
<td style="width: 99.8656%; padding: 4px; text-align: center;"><span style="color: #efeff1;">55b85e76abb172536c64a8f6cf4101f943ea826042826759ded4ce46adc00638</span></td>
</tr>
<tr>
<td style="width: 99.8656%; padding: 4px; text-align: center;"><span style="color: #efeff1;">b376d511fb69085b1d28b62be846d049629079f4f4f826fd0f46df26378e398b</span></td>
</tr>
<tr>
<td style="width: 99.8656%; padding: 4px; text-align: center;"><span style="color: #efeff1;">d68c99d7680bf6a4644770edfe338b8d0591dfe143278412d5ed62848ffc99e0</span></td>
</tr>
</tbody>
</table>
</div>
<a id="YARA" data-hs-anchor="true"></a>
<h2><span style="color: #efeff1;">YARA</span></h2>
<p><span style="color: #efeff1;">Uptycs XDR scans the memory of newly launched processes and detects any presence of suspicious strings by using YARA rules. The rule for detecting this RTM Locker has already been made available to our customers.</span><br><br><span style="color: #efeff1;">If you’re not an Uptycs XDR customer, you can use either the YARA tool or a third-party tool to scan suspicious processes. Here we share the rule for your convenience.</span></p>
<p>&nbsp;</p>
<p><span style="font-family: 'Courier New', Courier, monospace;"><span style="color: #efeff1;">rule Uptycs_Ransomware_RTM_Locker</span><br><span style="color: #efeff1;">{</span><br><span style="color: #efeff1;">&nbsp; &nbsp; meta:</span><br><span style="color: #efeff1;">&nbsp; &nbsp; &nbsp; &nbsp; malware_name = "RANSOMWARE"</span><br><span style="color: #efeff1;">&nbsp; &nbsp; &nbsp; &nbsp; description = "Ransomware is a malware that encrypts sensitive information on your system and asks for ransom in exchange for restoring the encrypted data."</span><br><span style="color: #efeff1;">&nbsp; &nbsp; &nbsp; &nbsp; author = "Uptycs Inc"</span><br><span style="color: #efeff1;">&nbsp; &nbsp; &nbsp; &nbsp; version = "1"</span><br><span style="color: #efeff1;">&nbsp; &nbsp; strings:</span><br><span style="color: #efeff1;">&nbsp; &nbsp; &nbsp; &nbsp; $Ransomware_RTM_Locker_0 = "esxcli vm process list" &nbsp;ascii wide</span><br><span style="color: #efeff1;">&nbsp; &nbsp; &nbsp; &nbsp; $Ransomware_RTM_Locker_1 = "vmlist.tmp.txt" &nbsp;ascii wide</span><br><span style="color: #efeff1;">&nbsp; &nbsp; &nbsp; &nbsp; $Ransomware_RTM_Locker_2 = "esxcli vm process kill" &nbsp;ascii wide</span><br><span style="color: #efeff1;">&nbsp; &nbsp; &nbsp; &nbsp; $Ransomware_RTM_Locker_3 = "!!! Warning!!!" &nbsp;ascii wide</span><br><span style="color: #efeff1;">&nbsp; &nbsp; &nbsp; &nbsp; $Ransomware_RTM_Locker_4 = "Your network is infected by the RTM Locker command" &nbsp;ascii wide</span><br><span style="color: #efeff1;">&nbsp; &nbsp; condition:</span><br><span style="color: #efeff1;">&nbsp; &nbsp; &nbsp; &nbsp; all of ($Ransomware_RTM_Locker*)</span><br><span style="color: #efeff1;">}</span><br></span></p></span>
          </div> 


        </article> 
        <div class="blogPostAreaSideCol"></div> 
      </div> 
    </div>

  </div> 


<!--   <div class="blogListSection relatedBlogListSection pt40">
    <div class="wrapper"> 

 
    </div> 
  </div> -->

<!--   <span class="blogFooterShape" style="background-image: url('https://2617658.fs1.hubspotusercontent-na1.net/hubfs/2617658/Uptycs%20Theme%20-%202023/Blog%20Page%20-%202023/Design%20Assets/Footer%20Shape.png')"></span>
 -->

</div>



      </main>

      
        <div data-global-resource-path="Uptycs_Theme_2023/templates/partials/footer.html"><footer class="footer">
  <div class="container-fluid footer__container content-wrapper">
<div class="row-fluid-wrapper">
<div class="row-fluid">
<div class="span12 widget-span widget-type-cell " style="" data-widget-type="cell" data-x="0" data-w="12">

<div class="row-fluid-wrapper row-depth-1 row-number-1 dnd-section">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-custom_widget dnd-module" style="" data-widget-type="custom_widget" data-x="0" data-w="12">
<div id="hs_cos_wrapper_footer-module-1" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><div class="Footer_Section ">
  <div class="wrapper">
    <div class="Footer_Box">

      <!-- Start Footer Subscribe -->
      <div class="Subscribe">
        <div class="Subscribe_innner">
          
          <div class="Logo_icon">
            
            
            
            
            
            
            <img src="https://www.uptycs.com/hs-fs/hubfs/Uptycs%20Theme%20-%202023/Home%20Page%20Images/Vector.png?width=29&amp;height=30&amp;name=Vector.png" alt="uptycs footer icon" loading="lazy" width="29" height="30" style="max-width: 100%; height: auto;" srcset="https://www.uptycs.com/hs-fs/hubfs/Uptycs%20Theme%20-%202023/Home%20Page%20Images/Vector.png?width=15&amp;height=15&amp;name=Vector.png 15w, https://www.uptycs.com/hs-fs/hubfs/Uptycs%20Theme%20-%202023/Home%20Page%20Images/Vector.png?width=29&amp;height=30&amp;name=Vector.png 29w, https://www.uptycs.com/hs-fs/hubfs/Uptycs%20Theme%20-%202023/Home%20Page%20Images/Vector.png?width=44&amp;height=45&amp;name=Vector.png 44w, https://www.uptycs.com/hs-fs/hubfs/Uptycs%20Theme%20-%202023/Home%20Page%20Images/Vector.png?width=58&amp;height=60&amp;name=Vector.png 58w, https://www.uptycs.com/hs-fs/hubfs/Uptycs%20Theme%20-%202023/Home%20Page%20Images/Vector.png?width=73&amp;height=75&amp;name=Vector.png 73w, https://www.uptycs.com/hs-fs/hubfs/Uptycs%20Theme%20-%202023/Home%20Page%20Images/Vector.png?width=87&amp;height=90&amp;name=Vector.png 87w" sizes="(max-width: 29px) 100vw, 29px">
            
          </div>
          
          <div class="Subscribe_Content">
            
            <h6>Stay in the loop</h6>
            
            
            <p>Get regular updates on all things Uptycs—<br>from product updates to expert articles and much more</p>
            
          </div>
          <div class="Subscribe_field">
            <span id="hs_cos_wrapper_footer-module-1_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_form" style="" data-hs-cos-general-type="widget" data-hs-cos-type="form"><h3 id="hs_cos_wrapper_form_553320780_title" class="hs_cos_wrapper form-title" data-hs-cos-general-type="widget_field" data-hs-cos-type="text"></h3>

<div id="hs_form_target_form_553320780"></div>









</span>
          </div>
        </div>
      </div>
      <!-- End Footer Subscribe -->



      <!-- Start Footer Link and Social media  -->
      <div class="Footer pt60 pb80">
        <div class="Footer_inner">
          <!-- Start Social Media -->
          <div class="Footer_SocialMedia">
            
            <h5>Follow Us</h5>
            

            <ul>
              
              <li>
                
                
                <a href="https://www.linkedin.com/company/uptycs/">
                  
                  <svg xmlns="http://www.w3.org/2000/svg" width="12" height="11" viewbox="0 0 12 11" fill="none" alt="linkedin logo"><path d="M2.26897 2.45965C3.07306 2.45965 3.57649 1.92825 3.56949 1.26401C3.5625 0.585774 3.07306 0.0683594 2.28295 0.0683594C1.49984 0.0683594 0.982422 0.585774 0.982422 1.26401C0.982422 1.92825 1.47886 2.45965 2.25498 2.45965H2.26897ZM6.99562 10.3327V6.46612C6.99562 6.25635 7.01659 6.05358 7.07253 5.89976C7.24034 5.48723 7.61791 5.06071 8.25419 5.06071C9.08625 5.06071 9.42187 5.69699 9.42187 6.62694V10.3327H11.7223V6.36124C11.7223 4.23564 10.5895 3.24277 9.07226 3.24277C7.87377 3.24277 7.32365 3.88466 7.01607 4.35677L6.99516 4.38921L6.99562 3.40358H4.69522C4.69522 3.40358 4.72319 4.05385 4.69522 10.3327H6.99562ZM3.42266 10.3327V3.40358H1.11527V10.3327H3.42266Z" fill="white" /></svg>
                  
                </a>
              </li>
              
              <li>
                
                
                <a href="https://twitter.com/uptycs?lang=en">
                  
                  <svg xmlns="http://www.w3.org/2000/svg" width="13" height="11" viewbox="0 0 13 11" fill="none" alt="twitter logo"><path d="M3.83048 10.2807C5.98728 10.2807 7.71703 9.55539 9.01974 8.10472C10.3225 6.65406 10.9738 5.03796 10.9738 3.25644V2.95104C11.4914 2.57777 11.9055 2.1536 12.2161 1.67853C11.7848 1.88213 11.3016 2.00938 10.7668 2.06028C11.3362 1.73791 11.7071 1.2798 11.8797 0.685964C11.3275 1.00833 10.7926 1.21194 10.275 1.29677C9.77463 0.770799 9.17072 0.507812 8.46329 0.507812C7.75586 0.507812 7.16058 0.745348 6.67746 1.22042C6.19433 1.69549 5.95277 2.28085 5.95277 2.97649C5.95277 3.23099 5.97003 3.41763 6.00454 3.5364C3.8995 3.4346 2.18268 2.57777 0.854094 0.965918C0.629787 1.35616 0.517633 1.76336 0.517633 2.18753C0.517633 3.08677 0.888602 3.77393 1.63054 4.249C1.25094 4.249 0.871348 4.1472 0.49175 3.9436V3.96905C0.49175 4.56289 0.685863 5.08462 1.07409 5.53424C1.46231 5.98387 1.94112 6.26806 2.51052 6.38683C2.23445 6.4547 2.01014 6.48863 1.83759 6.48863C1.73407 6.48863 1.57878 6.47166 1.37173 6.43773C1.52702 6.92977 1.82034 7.33273 2.2517 7.64662C2.68306 7.9605 3.16619 8.12593 3.70107 8.1429C2.78659 8.85551 1.75132 9.21181 0.595277 9.21181C0.474496 9.21181 0.276071 9.19484 0 9.16091C1.1733 9.90745 2.45013 10.2807 3.83048 10.2807Z" fill="white" /></svg>
                  
                </a>
              </li>
              
              <li>
                
                
                <a href="https://www.facebook.com/uptycs/">
                  
                  <svg xmlns="http://www.w3.org/2000/svg" width="8" height="15" viewbox="0 0 8 15" fill="none" alt="facebook logo"><path d="M5.06858 14.0919V7.98219H7.11319L7.42712 5.59949H5.06858V4.07811C5.06858 3.39389 5.25372 2.91897 6.24383 2.91897H7.50762V0.793861C7.29028 0.761663 6.54166 0.697266 5.6723 0.697266C3.85308 0.697266 2.60539 1.80812 2.60539 3.84467V5.59949H0.552734V7.98219H2.60539V14.0919H5.06858Z" fill="white" /></svg>
                  
                </a>
              </li>
              
              <li>
                
                
                <a href="https://www.youtube.com/@uptycs">
                  
                  <svg xmlns="http://www.w3.org/2000/svg" width="14" height="11" viewbox="0 0 14 11" fill="none" alt="youtube logo"><path fill-rule="evenodd" clip-rule="evenodd" d="M12.3077 0.874743C12.8945 1.03263 13.3567 1.49778 13.5135 2.08843C13.7985 3.15901 13.7985 5.39267 13.7985 5.39267C13.7985 5.39267 13.7985 7.62632 13.5135 8.69691C13.3567 9.28755 12.8945 9.7527 12.3077 9.91059C11.244 10.1974 6.97885 10.1974 6.97885 10.1974C6.97885 10.1974 2.71371 10.1974 1.65005 9.91059C1.06321 9.7527 0.601046 9.28755 0.444194 8.69691C0.15918 7.62632 0.15918 5.39267 0.15918 5.39267C0.15918 5.39267 0.15918 3.15901 0.444194 2.08843C0.601046 1.49778 1.06321 1.03261 1.65005 0.874743C2.71371 0.587891 6.97885 0.587891 6.97885 0.587891C6.97885 0.587891 11.244 0.587891 12.3077 0.874743ZM9.14839 5.3928L5.58357 7.42075V3.36475L9.14839 5.3928Z" fill="white" /></svg>
                  
                </a>
              </li>
              
            </ul>

          </div>
          <!-- End Social Media -->

          <!-- Start Footer Links -->
          <div class="Footer_Links">
            <div class="FProducts_Links">
              <div class="w50">


                
                <h5>Products</h5>
                
                <div class="Footer_Menuone">
                  <span id="hs_cos_wrapper_footer-module-1_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_simple_menu" style="" data-hs-cos-general-type="widget" data-hs-cos-type="simple_menu"><div id="hs_menu_wrapper_footer-module-1_" class="hs-menu-wrapper active-branch flyouts hs-menu-flow-horizontal" role="navigation" data-sitemap-name="" data-menu-id="" aria-label="Navigation Menu">
 <ul role="menu">
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.uptycs.com/products/why-uptycs" role="menuitem" target="_self">Why Uptycs</a></li>
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.uptycs.com/products/xdr" role="menuitem" target="_self">XDR</a></li>
 </ul>
</div></span>  
                </div>


                <div class="Cnapp">
                  <span id="hs_cos_wrapper_footer-module-1_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_simple_menu" style="" data-hs-cos-general-type="widget" data-hs-cos-type="simple_menu"><div id="hs_menu_wrapper_footer-module-1_" class="hs-menu-wrapper active-branch flyouts hs-menu-flow-horizontal" role="navigation" data-sitemap-name="" data-menu-id="" aria-label="Navigation Menu">
 <ul role="menu">
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.uptycs.com/products/cnapp" role="menuitem" target="_self">CNAPP</a></li>
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.uptycs.com/products/cnapp/cwpp" role="menuitem" target="_self">CWPP</a></li>
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.uptycs.com/products/cnapp/cspm" role="menuitem" target="_self">CSPM</a></li>
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.uptycs.com/products/cnapp/ciem" role="menuitem" target="_self">CIEM</a></li>
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.uptycs.com/products/cnapp/cdr" role="menuitem" target="_self">CDR</a></li>
 </ul>
</div></span>
                </div>
              </div>
              <div class="w50">
                <div class="Attack_Surfaces">
                  <h6>By Attack <br>Surface:</h6>

                  <span id="hs_cos_wrapper_footer-module-1_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_simple_menu" style="" data-hs-cos-general-type="widget" data-hs-cos-type="simple_menu"><div id="hs_menu_wrapper_footer-module-1_" class="hs-menu-wrapper active-branch flyouts hs-menu-flow-horizontal" role="navigation" data-sitemap-name="" data-menu-id="" aria-label="Navigation Menu">
 <ul role="menu">
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.uptycs.com/partners/aws" role="menuitem" target="_self">AWS</a></li>
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.uptycs.com/partners/azure" role="menuitem" target="_self">Azure</a></li>
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.uptycs.com/partners/google-cloud-security" role="menuitem" target="_self">Google Cloud</a></li>
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.uptycs.com/products/attack-surfaces/containers-kubernetes" role="menuitem" target="_self">Containers and Kubernetes</a></li>
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.uptycs.com/products/attack-surfaces/endpoints" role="menuitem" target="_self">Endpoints</a></li>
 </ul>
</div></span>

                </div>
                <div class="Use_Case">
                  <h6>By <br>Use Case:</h6>
                  <span id="hs_cos_wrapper_footer-module-1_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_simple_menu" style="" data-hs-cos-general-type="widget" data-hs-cos-type="simple_menu"><div id="hs_menu_wrapper_footer-module-1_" class="hs-menu-wrapper active-branch flyouts hs-menu-flow-horizontal" role="navigation" data-sitemap-name="" data-menu-id="" aria-label="Navigation Menu">
 <ul role="menu">
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.uptycs.com/products/use-cases/detection-response" role="menuitem" target="_self">Detection and Response</a></li>
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.uptycs.com/products/use-cases/threat-hunting" role="menuitem" target="_self">Threat Hunting</a></li>
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.uptycs.com/products/use-cases/csirt" role="menuitem" target="_self">CSIRT</a></li>
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.uptycs.com/products/use-cases/vulnerability-scanning" role="menuitem" target="_self">Vulnerability Scanning</a></li>
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.uptycs.com/products/use-cases/compliance" role="menuitem" target="_self">Compliance</a></li>
 </ul>
</div></span>

                </div>
              </div>
            </div>
            <div class="TwoMenuLinks Desktop">
              <div class="FServices_Links">
                
                <h5>Services</h5>
                

                <span id="hs_cos_wrapper_footer-module-1_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_simple_menu" style="" data-hs-cos-general-type="widget" data-hs-cos-type="simple_menu"><div id="hs_menu_wrapper_footer-module-1_" class="hs-menu-wrapper active-branch flyouts hs-menu-flow-horizontal" role="navigation" data-sitemap-name="" data-menu-id="" aria-label="Navigation Menu">
 <ul role="menu">
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.uptycs.com/services/mdr-managed-detection-response" role="menuitem" target="_self">Managed Services (MDR)</a></li>
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.uptycs.com/services-support" role="menuitem" target="_self">Support and Professional Services</a></li>
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.uptycs.com/services-support/training-education-academy" role="menuitem" target="_self">Training and Education</a></li>
 </ul>
</div></span>
              </div>
              <div class="FPartners_Links">

                
                <h5>Partners</h5>
                
                <span id="hs_cos_wrapper_footer-module-1_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_simple_menu" style="" data-hs-cos-general-type="widget" data-hs-cos-type="simple_menu"><div id="hs_menu_wrapper_footer-module-1_" class="hs-menu-wrapper active-branch flyouts hs-menu-flow-horizontal" role="navigation" data-sitemap-name="" data-menu-id="" aria-label="Navigation Menu">
 <ul role="menu">
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.uptycs.com/partners" role="menuitem" target="_self">Partner Overview</a></li>
 </ul>
</div></span>

                <div class="FCloud_Service_Links">
                  
                  <h6>Cloud Service Providers:</h6>
                  
                  <span id="hs_cos_wrapper_footer-module-1_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_simple_menu" style="" data-hs-cos-general-type="widget" data-hs-cos-type="simple_menu"><div id="hs_menu_wrapper_footer-module-1_" class="hs-menu-wrapper active-branch flyouts hs-menu-flow-horizontal" role="navigation" data-sitemap-name="" data-menu-id="" aria-label="Navigation Menu">
 <ul role="menu">
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.uptycs.com/partners/aws" role="menuitem" target="_self">AWS</a></li>
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.uptycs.com/partners/azure" role="menuitem" target="_self">Azure</a></li>
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.uptycs.com/partners/google-cloud-security" role="menuitem" target="_self">Google Cloud</a></li>
 </ul>
</div></span>

                </div>
              </div>
            </div>
            <div class="FServices_Links SmallView">
              
              <h5>Services</h5>
              

              <span id="hs_cos_wrapper_footer-module-1_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_simple_menu" style="" data-hs-cos-general-type="widget" data-hs-cos-type="simple_menu"><div id="hs_menu_wrapper_footer-module-1_" class="hs-menu-wrapper active-branch flyouts hs-menu-flow-horizontal" role="navigation" data-sitemap-name="" data-menu-id="" aria-label="Navigation Menu">
 <ul role="menu">
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.uptycs.com/services/mdr-managed-detection-response" role="menuitem" target="_self">Managed Services (MDR)</a></li>
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.uptycs.com/services-support" role="menuitem" target="_self">Support and Professional Services</a></li>
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.uptycs.com/services-support/training-education-academy" role="menuitem" target="_self">Training and Education</a></li>
 </ul>
</div></span>
            </div>
            <div class="FPartners_Links SmallView">

              
              <h5>Partners</h5>
              
              <span id="hs_cos_wrapper_footer-module-1_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_simple_menu" style="" data-hs-cos-general-type="widget" data-hs-cos-type="simple_menu"><div id="hs_menu_wrapper_footer-module-1_" class="hs-menu-wrapper active-branch flyouts hs-menu-flow-horizontal" role="navigation" data-sitemap-name="" data-menu-id="" aria-label="Navigation Menu">
 <ul role="menu">
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.uptycs.com/partners" role="menuitem" target="_self">Partner Overview</a></li>
 </ul>
</div></span>

              <div class="FCloud_Service_Links">
                
                <h6>Cloud Service Providers:</h6>
                
                <span id="hs_cos_wrapper_footer-module-1_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_simple_menu" style="" data-hs-cos-general-type="widget" data-hs-cos-type="simple_menu"><div id="hs_menu_wrapper_footer-module-1_" class="hs-menu-wrapper active-branch flyouts hs-menu-flow-horizontal" role="navigation" data-sitemap-name="" data-menu-id="" aria-label="Navigation Menu">
 <ul role="menu">
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.uptycs.com/partners/aws" role="menuitem" target="_self">AWS</a></li>
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.uptycs.com/partners/azure" role="menuitem" target="_self">Azure</a></li>
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.uptycs.com/partners/google-cloud-security" role="menuitem" target="_self">Google Cloud</a></li>
 </ul>
</div></span>

              </div>
            </div>
            <div class="FResources_Links">
              
              <h5>Resources</h5>
              
              <span id="hs_cos_wrapper_footer-module-1_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_simple_menu" style="" data-hs-cos-general-type="widget" data-hs-cos-type="simple_menu"><div id="hs_menu_wrapper_footer-module-1_" class="hs-menu-wrapper active-branch flyouts hs-menu-flow-horizontal" role="navigation" data-sitemap-name="" data-menu-id="" aria-label="Navigation Menu">
 <ul role="menu">
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.uptycs.com/blog" role="menuitem" target="_self">Blog</a></li>
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.uptycs.com/resources" role="menuitem" target="_self">Resource Library</a></li>
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.uptycs.com/events" role="menuitem" target="_self">Upcoming Events</a></li>
 </ul>
</div></span>

            </div>
            <div class="FCompany_Links">
              
              <h5>Company</h5>
              
              <span id="hs_cos_wrapper_footer-module-1_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_simple_menu" style="" data-hs-cos-general-type="widget" data-hs-cos-type="simple_menu"><div id="hs_menu_wrapper_footer-module-1_" class="hs-menu-wrapper active-branch flyouts hs-menu-flow-horizontal" role="navigation" data-sitemap-name="" data-menu-id="" aria-label="Navigation Menu">
 <ul role="menu">
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.uptycs.com/about" role="menuitem" target="_self">About Us</a></li>
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.uptycs.com/about/careers" role="menuitem" target="_self">Careers</a></li>
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.uptycs.com/about/security" role="menuitem" target="_self">Security Practices</a></li>
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.uptycs.com/about/contact/" role="menuitem" target="_self">Contact Us</a></li>
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.uptycs.com/press-news-release" role="menuitem" target="_self">Press and News</a></li>
 </ul>
</div></span>

            </div>
          </div>
          <!-- End Footer Links -->



        </div>   
        

          <div class="footer_pre_copy">
            
            
            
            <img alt="Software Graphics Badge" loading="lazy" width="200" height="50" class="footer_icons_new" src="https://www.uptycs.com/hubfs/AWS%20Security%20Software_Graphic%20Badge_v2.svg">
            <img alt="AWS Certification" width="200" height="50" loading="lazy" class="footer_icons_new" src="https://www.uptycs.com/hubfs/AWS_Graphic%20Badge_v2.svg">
            <img alt="AICPA  Certification Logo" loading="lazy" width="200" height="50" class="footer_icons_new" src="https://www.uptycs.com/hubfs/AICPA_Graphic%20Badge_v2.svg">
            
          </div> 
       
        
        
        
      </div>
      <!-- End Footer Link and Social media  -->



      <!-- Start Footer Bottom -->
      <div class="footerBottom">
        
        <div class="Copyright w50">
          © 2023 Uptycs. All rights reserved. 
        </div>
        
        
        <div class="BottomRight_Links w50">
          <span id="hs_cos_wrapper_footer-module-1_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_simple_menu" style="" data-hs-cos-general-type="widget" data-hs-cos-type="simple_menu"><div id="hs_menu_wrapper_footer-module-1_" class="hs-menu-wrapper active-branch flyouts hs-menu-flow-horizontal" role="navigation" data-sitemap-name="" data-menu-id="" aria-label="Navigation Menu">
 <ul role="menu">
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.uptycs.com/privacy-policy" role="menuitem" target="_self">Privacy Policy</a></li>
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.uptycs.com/about/security" role="menuitem" target="_self">Security Practices</a></li>
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.uptycs.com/about/contact/" role="menuitem" target="_self">Contact Us</a></li>
 </ul>
</div></span>
        </div>
        
      </div>
      <!-- End Footer Bottom -->

    </div>
  </div>
</div></div>

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

</div><!--end widget-span -->
</div>
</div>
</div>
</footer></div>
      
    </div> 

         
     
  
    
    
<!-- HubSpot performance collection script -->
<script defer src="https://static.hsappstatic.net/content-cwv-embed/static-1.240/embed.js"></script>
<script src="https://www.uptycs.com/hs-fs/hub/2617658/hub_generated/template_assets/122960336740/1688142567144/Uptycs_Theme_2023/js/code.jquery.com_jquery-1.12.4.min.js"></script>
<script src="https://www.uptycs.com/hs-fs/hub/2617658/hub_generated/template_assets/105237812090/1688144122371/Uptycs_Theme_2023/js/main.min.js"></script>
<script>
var hsVars = hsVars || {}; hsVars['language'] = 'en';
</script>

<script src="/hs/hsstatic/cos-i18n/static-1.53/bundles/project.js"></script>
<script src="https://www.uptycs.com/hs-fs/hub/2617658/hub_generated/module_assets/105369588578/1687283974134/module_105369588578_EXT_-_Header_Module_-_2023.min.js"></script>

    <!--[if lte IE 8]>
    <script charset="utf-8" src="https://js.hsforms.net/forms/v2-legacy.js"></script>
    <![endif]-->

<script data-hs-allowed="true" src="/_hcms/forms/v2.js"></script>

    <script data-hs-allowed="true">
        var options = {
            portalId: '2617658',
            formId: '0492e7b1-c029-4110-8042-598f482d9802',
            formInstanceId: '8879',
            pageId: '112774722884',
            region: 'na1',
            
            
            
            
            pageName: "RTM Locker Ransomware as a Service (RaaS) Now on Linux - Uptycs",
            
            
            
            inlineMessage: "Thanks for submitting the form.",
            
            
            rawInlineMessage: "Thanks for submitting the form.",
            
            
            hsFormKey: "6566d4517983b9c46ac7f0a930341651",
            
            
            css: '',
            target: '#hs_form_target_form_553320780',
            
            
            
            
            
            contentType: "blog-post",
            
            
            
            formsBaseUrl: '/_hcms/forms/',
            
            
            
            formData: {
                cssClass: 'hs-form stacked hs-custom-form'
            }
        };

        options.getExtraMetaDataBeforeSubmit = function() {
            var metadata = {};
            

            if (hbspt.targetedContentMetadata) {
                var count = hbspt.targetedContentMetadata.length;
                var targetedContentData = [];
                for (var i = 0; i < count; i++) {
                    var tc = hbspt.targetedContentMetadata[i];
                     if ( tc.length !== 3) {
                        continue;
                     }
                     targetedContentData.push({
                        definitionId: tc[0],
                        criterionId: tc[1],
                        smartTypeId: tc[2]
                     });
                }
                metadata["targetedContentMetadata"] = JSON.stringify(targetedContentData);
            }

            return metadata;
        };

        hbspt.forms.create(options);
    </script>


<!-- Start of HubSpot Analytics Code -->
<script type="text/javascript">
var _hsq = _hsq || [];
_hsq.push(["setContentType", "blog-post"]);
_hsq.push(["setCanonicalUrl", "https:\/\/www.uptycs.com\/blog\/rtm-locker-ransomware-as-a-service-raas-linux"]);
_hsq.push(["setPageId", "112774722884"]);
_hsq.push(["setContentMetadata", {
    "contentPageId": 112774722884,
    "legacyPageId": "112774722884",
    "contentFolderId": null,
    "contentGroupId": 5593128451,
    "abTestId": null,
    "languageVariantId": 112774722884,
    "languageCode": "en",
    
}]);
</script>

<script type="text/javascript" id="hs-script-loader" async defer src="/hs/scriptloader/2617658.js"></script>
<!-- End of HubSpot Analytics Code -->


<script type="text/javascript">
var hsVars = {
    render_id: "f1e9ae06-689e-4aa2-80d3-a7108aa0da81",
    ticks: 1688502515148,
    page_id: 112774722884,
    
    content_group_id: 5593128451,
    portal_id: 2617658,
    app_hs_base_url: "https://app.hubspot.com",
    cp_hs_base_url: "https://cp.hubspot.com",
    language: "en",
    analytics_page_type: "blog-post",
    analytics_page_id: "112774722884",
    category_id: 3,
    folder_id: 0,
    is_hubspot_user: false
}
</script>


<script defer src="/hs/hsstatic/HubspotToolsMenu/static-1.191/js/index.js"></script>

      <noscript>
        <img src="https://ws.zoominfo.com/pixel/6127ecc2d037650015c31617" width="1" height="1" style="display: none;">
      </noscript>







  
</body></html>